Summary: | xpak code allows arbitrary writing to the file system | ||
---|---|---|---|
Product: | Portage Development | Reporter: | Brian Harring (RETIRED) <ferringb> |
Component: | Binary packages support | Assignee: | Portage team <dev-portage> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | a3li |
Priority: | Normal | Keywords: | InVCS |
Version: | 2.1 | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=blob;f=pym/portage/xpak.py;h=b507243c4e8da10880a2af0bf1d6f025af05e615;hb=refs/heads/master | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 402213 |
Description
Brian Harring (RETIRED)
2012-02-11 10:53:52 UTC
(In reply to comment #0) > Considering pkg_pretend is ran for arbitrary remote binpkgs, there already are > some holes here; pretty sure in a quick glance through the binpkg hash code > that also looks like it's got holes in it. Yeah, can't see a point in making this a non-public bug when it's common knowledge that a binpkg contains executable content that poses a security threat if it's compromised somehow. Obviously, we'd have to sign the hashes in order head off MITM attacks. This is fixed in git: http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=b3cfb2065ccbeb8f769d630ff997c0327fb2eb35 This is fixed in 2.1.10.46 and 2.2.0_alpha86. |