Mailinglist Archive: zypp-devel (59 mails)

[Jan Kupec <jkupec@xxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Schroeder wrote:
> On Mon, Nov 17, 2008 at 05:13:50PM +0100, Jan Kupec wrote:
> > Should be. The packagesPath dir is only used to copy the .rpm file from
> > repo; any file with the same name is overwritten, then the rpm is
> > installed & removed. An attacker would need to put a malicious rpm in
> > place of the original very quickly. Is that an issue?
>
> I think so, there exists lots of attacks which exploit exaclty such
> races.
>
> > If yes, i can
> > change it to a TmpDir existing during lifetime of zypper.
>
> Please do.

OK, done.

- --
cheers,
jano


 Ján Kupec
 YaST team
- ---------------------------------------------------------(PGP)---
 Key ID: 637EE901
 Fingerprint: 93B9 C79B 2D20 51C3 800B  E09B 8048 46A6 637E E901
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkkhnM8ACgkQgEhGpmN+6QFIswCfb+WxaL5GA3ENe/Taxe5xos2t
wv8An3BEBHrNwyVvbU4lofs8ZNxROBvo
=tJoO
-----END PGP SIGNATURE-----
-- 
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx