On Mon, Nov 17, 2008 at 05:13:50PM +0100, Jan Kupec wrote:
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue?
I think so, there exists lots of attacks which exploit exaclty such races.
If yes, i can change it to a TmpDir existing during lifetime of zypper.
Please do. Thanks, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org