[Bug 214333] New: galago sharp downloads untrusted tarball from website
https://bugzilla.novell.com/show_bug.cgi?id=214333 Summary: galago sharp downloads untrusted tarball from website Product: openSUSE 10.2 Version: Alpha 5 plus Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: dmueller@novell.com QAContact: qa@suse.de the download is not verified during build. either fix that or ship a wellknown working copy of it. get-from-tarball: · if test ! -d libgalago; then \ · · if test ! -f $(TARBALL_NAME); then \ · · · wget $(TARBALL_URL)/$(TARBALL_NAME); \ · · fi; \ · · tar -xjvf $(TARBALL_NAME); \ · · mv $(TARBALL_DIR) libgalago; \ · · rm -f $(TARBALL_NAME); \ · fi -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214333 dmueller@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |214338 nThis| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214333 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Critical -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214333 jpr@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |jhargadon@novell.com |gnome@forge.provo.novell.com| ------- Comment #2 from jpr@novell.com 2006-10-23 09:22 MST ------- Yikes, thats brutal. Joe, please patch to not allow this and to pull the libgalago tarball internally. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214333 ------- Comment #3 from jhargadon@novell.com 2006-10-23 10:54 MST ------- I have added the libgalago tarball to the package and changed the specfile to apply the source. Now when the test "if test ! -d libgalago" occurs the libgalago directory exists, so the wget is never performed. Is this sufficient, or do I need to completely remove the wget code all together? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=214333 ------- Comment #4 from dmueller@novell.com 2006-10-23 12:53 MST ------- this should be okay, if it works. BTW, the same problem exists in 10.0 and in 10.1 tree's (perhaps elsewhere as well). Alone for the reason that it is unlikely that the tarball stays up for 7 years, this should be fixed there as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com