Bug#737160: [uupdate] symlink directory traversal
Jakub Wilk
jwilk at debian.org
Mon Apr 28 11:47:06 UTC 2014
* Jakub Wilk <jwilk at debian.org>, 2014-02-23, 12:11:
>Perhaps a more viable way would be to construct a temporary new source
>package, and let dpkg-source deal with all the corner cases of
>unpacking it?
Now I realized that this won't work, because dpkg-source insist that
patches apply without fuzz.
So here's a different strategy, similar to what tar(1) implements to
defend against symlink attacks:
1) Unpack .orig.tar.
2) Delete all symlinks (and maybe also other non-regular files).
3) Apply the diff.
4) Restore all the files deleted in step 2.
--
Jakub Wilk
More information about the devscripts-devel
mailing list