On 2014-04-29 12:27 +0200, Raphael Geissert wrote:
> On 29 April 2014 08:11, Guillem Jover <guil...@debian.org> wrote:
> [...]
>> 2. Revert the patch and add versioned depdendencies against the working
>> patch package. This might require some dist-upgrade tests, though.
>> 3. Fix the patch to take into account the old behaviour, by checking
>> if either of the filenames (escaped and unescaped) are unsafe.
>>
>> I guess the last one is the “safest option”. In any case I'd like
>> input from the security team (CCed just to make sure you get this),
>> and I'm very sorry guys about this. :(
>
> This goes both ways:
> * if using dependencies, they would need to be added to all versions
> so that e.g. wheezy's dpkg can't be used with squeeze's patch
> * if handling both behaviors, it should also apply to both releases.
>
> Unless I missed something, of course.
Something nobody has mentioned yet: isn't the critical path between
wheezy and jessie/sid rather than between squeeze and wheezy? Support
for double-quoted filenames was added in patch 2.7, which entered
unstable only in June 2013.
Cheers,
Sven
--
To UNSUBSCRIBE, email to debian-dpkg-bugs-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
