Mailinglist Archive: zypp-devel (59 mails)
| < Previous | Next > |
Re: [zypp-devel] Re: [zypp-commit] r11689 - /trunk/zypper/src/Zypper.cc
- From: Jan Kupec <jkupec@xxxxxxx>
- Date: Mon, 17 Nov 2008 17:13:50 +0100
- Message-id: <4921983E.6070006@xxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Andres wrote:
Should be. The packagesPath dir is only used to copy the .rpm file from
repo; any file with the same name is overwritten, then the rpm is
installed & removed. An attacker would need to put a malicious rpm in
place of the original very quickly. Is that an issue? If yes, i can
change it to a TmpDir existing during lifetime of zypper.
Zypper install local.rpm is using a temporary plaindir repo created and
added to RepoManager on-the-fly. That's why it has an empty packagesPath
by default and that's why the bug (it's #445504, not 444897, sorry). So
my first thought was to set it to /var/cache/zypper/RPMS (the path of
the tmp _repo_), but then i realized the problem with 'cp file
thesamefile'. I did not fix it, because you'll never have such setup
unless you really want to. So i just set another packagesPath in zypper.
- --
cheers,
jano
Ján Kupec
YaST team
- ---------------------------------------------------------(PGP)---
Key ID: 637EE901
Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iEYEARECAAYFAkkhmD4ACgkQgEhGpmN+6QGPxgCfavJ2f85oRj+Vxq4Y4e+AIqO+
pmAAn0SYYMwg6HucQFxU1mUgoApuge1+
=yidB
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
Hash: SHA1
Michael Andres wrote:
On Monday 17 November 2008 14:43:44 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 12:29:03PM -0000, jkupec@xxxxxxxxxxxxxxxx wrote:
--- trunk/zypper/src/Zypper.cc (original)Is /tmp/zypper safe (security wise)?
+++ trunk/zypper/src/Zypper.cc Mon Nov 17 13:29:03 2008
@@ -3092,6 +3092,12 @@
repo.setAlias(TMP_RPM_REPO_ALIAS);
repo.setName(_("Plain RPM files cache"));
repo.setKeepPackages(false);
+ // empty packages path would cause unwanted removal of installed
rpms + // in current working directory (bnc #444897)
+ // OTOH packages path == ZYPPER_RPM_CACHE_DIR (the same as repo
URI) + // causes cp file thesamefile, which fails silently. This may
be worth + // fixing in libzypp.
+ repo.setPackagesPath("/tmp/zypper");
Should be. The packagesPath dir is only used to copy the .rpm file from
repo; any file with the same name is overwritten, then the rpm is
installed & removed. An attacker would need to put a malicious rpm in
place of the original very quickly. Is that an issue? If yes, i can
change it to a TmpDir existing during lifetime of zypper.
Why such zypper special a hack, insted of fixing it?
Zypper install local.rpm is using a temporary plaindir repo created and
added to RepoManager on-the-fly. That's why it has an empty packagesPath
by default and that's why the bug (it's #445504, not 444897, sorry). So
my first thought was to set it to /var/cache/zypper/RPMS (the path of
the tmp _repo_), but then i realized the problem with 'cp file
thesamefile'. I did not fix it, because you'll never have such setup
unless you really want to. So i just set another packagesPath in zypper.
- --
cheers,
jano
Ján Kupec
YaST team
- ---------------------------------------------------------(PGP)---
Key ID: 637EE901
Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iEYEARECAAYFAkkhmD4ACgkQgEhGpmN+6QGPxgCfavJ2f85oRj+Vxq4Y4e+AIqO+
pmAAn0SYYMwg6HucQFxU1mUgoApuge1+
=yidB
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
| < Previous | Next > |