[Bug 233967] New: YaST YOU: unsafe treatment of filenames (e.g. containing spaces)
https://bugzilla.novell.com/show_bug.cgi?id=233967 Summary: YaST YOU: unsafe treatment of filenames (e.g. containing spaces) Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Ulrich.Windl@rz.uni-regensburg.de QAContact: jsrain@novell.com When trying to do an Online Update from a previously registered directory source, no update could be installed. Furthermore, even though no update had been installed, in a second attempt to install the updates, all updates were skipped, maybe due to inconsistent views regarding to what#s installed, and what's not. Here are some details: Updates were on a DVD with the Volume Label "SUSE Linux 10.1 Patch DVD" in side a directory "SL10.2-i386". Thus the path registered was "/media/SUSE Linux 10.1 Patch DVD/SL10.2-i386". What YaST did is this: Executing 'rpm' '--root' '/' '--dbpath' '/var/lib/rpm' '-U' '--percent' '--' '/media/SUSE Linux 10.1 Patch DVD/SL10.2-i386/rpm/i586/openssl-0.9.8d-17.2.i586.rpm' Naturally the result was like this: Subprocess failed. Error: RPM failed: error: open of /media/SUSE failed: No such file or directory error: open of Linux failed: No such file or directory error: open of 10.1 failed: No such file or directory error: open of Patch failed: No such file or directory error: open of DVD/SL10.2-i386/rpm/i586/openssl-0.9.8d-17.2.i586.rpm failed: No such file or directory Despite that updates work unreliable that way, it may also be a security problem when considering paths like "/my foo dir/ echo>/etc/passwd more_stuff.rpm". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |kkaempf@novell.com |screening@forge.provo.novell| |.com | Component|YaST2 |libzypp QAContact|jsrain@novell.com |kkaempf@novell.com ------- Comment #1 from meissner@novell.com 2007-01-12 02:25 MST ------- libzypp problem i guess -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 kkaempf@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@novell.com, visnov@novell.com AssignedTo|kkaempf@novell.com |ma@novell.com QAContact|kkaempf@novell.com |visnov@novell.com ------- Comment #2 from kkaempf@novell.com 2007-01-12 03:33 MST ------- RPM backend probably needs more/proper quoting -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 ma@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|ma@novell.com |mls@novell.com ------- Comment #3 from ma@novell.com 2007-01-15 04:23 MST ------- IMO it's rpm related: # rpm -Uvh WITH\ BLANK/test-1.0-0.intern.x86_64.rpm error: open of WITH failed: No such file or directory error: open of BLANK/test-1.0-0.intern.x86_64.rpm failed: No such file or directory # rpm -Uvh 'WITH BLANK/test-1.0-0.intern.x86_64.rpm' error: open of WITH failed: No such file or directory error: open of BLANK/test-1.0-0.intern.x86_64.rpm failed: No such file or directory These forms should work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 mls@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mls@novell.com |ma@novell.com ------- Comment #4 from mls@novell.com 2007-01-15 04:35 MST ------- But they don't, and I won't make such an incompatible change. You need additional quoting. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 ma@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #5 from ma@novell.com 2007-01-15 05:44 MST ------- fixed in libzypp-2.12.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 ------- Comment #6 from Ulrich.Windl@rz.uni-regensburg.de 2007-01-16 03:25 MST ------- (In reply to comment #3)
IMO it's rpm related:
RPM must have a very strange command line parser: I verified that processing is don in the C program. However these names don't work (are treated a two arguments): file\ space.prm "file space.rpm" 'file space.rpm' This works: 'file\ space.rpm' "file\ space.rpm" Maybe reassign to component base system with a new description. Problem should be fixed in RPM with quite high priority. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 ------- Comment #7 from Ulrich.Windl@rz.uni-regensburg.de 2007-01-16 03:35 MST ------- (In reply to comment #5)
fixed in libzypp-2.12.1
Did you verify (despite that it's a good idea to quite the filenames) that this fixes the problem? See comment #6. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 ------- Comment #8 from ma@novell.com 2007-01-18 06:57 MST ------- (In reply to comment #6)
This works: 'file\ space.rpm'
That's the libzypp fix.
Maybe reassign to component base system with a new description. Problem should be fixed in RPM with quite high priority.
See comment #4. I assigned it to mls because it should be fixed in RPM, but it won't. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 andreas.hanke@gmx-topmail.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andreas.hanke@gmx-topmail.de ------- Comment #9 from andreas.hanke@gmx-topmail.de 2007-01-18 07:13 MST ------- See also: Bug 181275 This behaviour of rpm is a feature, double-quoting is the correct solution. rpm expects the user to do that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=233967 ------- Comment #10 from ast@novell.com 2007-01-22 02:35 MST ------- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com