| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ma8btn$t01$2@ger.gmane.org> Date: Tue, 27 Jan 2015 15:47:04 +0000 (UTC) From: Andreas Gruenbacher <agruen@....org> To: linux-kernel@...r.kernel.org Cc: git@...r.kernel.org Subject: Re: patch-2.7.3 no longer applies relative symbolic link patches On Mon, 26 Jan 2015 13:50:10 -0800, Linus Torvalds wrote: > On Mon, Jan 26, 2015 at 1:35 PM, Junio C Hamano <gitster@...ox.com> > wrote: >> >> What is your take on CVE-2015-1196, which brought this /regression/ to >> GNU patch? >> If "git apply" get /fixed/ for that same CVE, would that /break/ your >> fix? > > I _think_ we allow arbitrary symlinks to be created, but then we should > be careful about actually _following_ them. I would prefer to allow arbitrary symlinks even in GNU patch, but patch still must not be allowed to leave the working directory. The only way to achieve that I can think of is to implement path traversal in user space, which is not so easy to do correctly and efficiently. I think file system modifications from "outside" are not much of a concern. Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists