On 2014-04-29 12:27 +0200, Raphael Geissert wrote: > On 29 April 2014 08:11, Guillem Jover <guil...@debian.org> wrote: > [...] >> 2. Revert the patch and add versioned depdendencies against the working >> patch package. This might require some dist-upgrade tests, though. >> 3. Fix the patch to take into account the old behaviour, by checking >> if either of the filenames (escaped and unescaped) are unsafe. >> >> I guess the last one is the “safest option”. In any case I'd like >> input from the security team (CCed just to make sure you get this), >> and I'm very sorry guys about this. :( > > This goes both ways: > * if using dependencies, they would need to be added to all versions > so that e.g. wheezy's dpkg can't be used with squeeze's patch > * if handling both behaviors, it should also apply to both releases. > > Unless I missed something, of course.
Something nobody has mentioned yet: isn't the critical path between wheezy and jessie/sid rather than between squeeze and wheezy? Support for double-quoted filenames was added in patch 2.7, which entered unstable only in June 2013. Cheers, Sven -- To UNSUBSCRIBE, email to debian-dpkg-bugs-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org