Mailinglist Archive: zypp-devel (59 mails)

< Previous Next >
Re: [zypp-devel] Re: [zypp-commit] r11689 - /trunk/zypper/src/Zypper.cc
  • From: Jan Kupec <jkupec@xxxxxxx>
  • Date: Mon, 17 Nov 2008 17:33:19 +0100
  • Message-id: <49219CCF.1060205@xxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 05:13:50PM +0100, Jan Kupec wrote:
Should be. The packagesPath dir is only used to copy the .rpm file from
repo; any file with the same name is overwritten, then the rpm is
installed & removed. An attacker would need to put a malicious rpm in
place of the original very quickly. Is that an issue?

I think so, there exists lots of attacks which exploit exaclty such
races.

If yes, i can
change it to a TmpDir existing during lifetime of zypper.

Please do.

OK, done.

- --
cheers,
jano


Ján Kupec
YaST team
- ---------------------------------------------------------(PGP)---
Key ID: 637EE901
Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkkhnM8ACgkQgEhGpmN+6QFIswCfb+WxaL5GA3ENe/Taxe5xos2t
wv8An3BEBHrNwyVvbU4lofs8ZNxROBvo
=tJoO
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx

< Previous Next >