-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Andres wrote:
On Monday 17 November 2008 14:43:44 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 12:29:03PM -0000, jkupec@svn.opensuse.org wrote:
--- trunk/zypper/src/Zypper.cc (original) +++ trunk/zypper/src/Zypper.cc Mon Nov 17 13:29:03 2008 @@ -3092,6 +3092,12 @@ repo.setAlias(TMP_RPM_REPO_ALIAS); repo.setName(_("Plain RPM files cache")); repo.setKeepPackages(false); + // empty packages path would cause unwanted removal of installed rpms + // in current working directory (bnc #444897) + // OTOH packages path == ZYPPER_RPM_CACHE_DIR (the same as repo URI) + // causes cp file thesamefile, which fails silently. This may be worth + // fixing in libzypp. + repo.setPackagesPath("/tmp/zypper"); Is /tmp/zypper safe (security wise)?
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue? If yes, i can change it to a TmpDir existing during lifetime of zypper.
Why such zypper special a hack, insted of fixing it?
Zypper install local.rpm is using a temporary plaindir repo created and added to RepoManager on-the-fly. That's why it has an empty packagesPath by default and that's why the bug (it's #445504, not 444897, sorry). So my first thought was to set it to /var/cache/zypper/RPMS (the path of the tmp _repo_), but then i realized the problem with 'cp file thesamefile'. I did not fix it, because you'll never have such setup unless you really want to. So i just set another packagesPath in zypper. - -- cheers, jano Ján Kupec YaST team - ---------------------------------------------------------(PGP)--- Key ID: 637EE901 Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901 - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkhmD4ACgkQgEhGpmN+6QGPxgCfavJ2f85oRj+Vxq4Y4e+AIqO+ pmAAn0SYYMwg6HucQFxU1mUgoApuge1+ =yidB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org