[pacman-dev] [PATCH 0/5][RFC] Die delta, die!
foxboron at archlinux.org
Thu Oct 17 14:59:00 UTC 2019
On Sat, Mar 02, 2019 at 08:19:11PM +1000, Allan McRae wrote:
> Deltas are broken. So much so that I would strongly recommend never
> using a delta from a repo that you did not generate yourself. In short,
> we call "system(command)", with a command that includes the name of
> a delta file, and the name of the package file before and after applying
> the delta. The name of the delta and the package files is controlled by
> the information in the repo, and could contain a malicious command to be
> run as root.
> We could possibly work around this, but it is a very risky piece of code
> and I believe it would be very hard to fully secure. Instead, I propose
> to remove delta support completely.
This issue was assigned CVE-2019-18183.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the pacman-dev