* Guillem Jover <guil...@debian.org>, 2014-04-29, 23:40:
1. Simply revert the patch, and ignore issues w/ partial upgrades (at
least for now?).
2. Revert the patch and add versioned depdendencies against the
working patch package. This might require some dist-upgrade tests,
though.
3. Fix the patch to take into account the old behaviour, by checking
if either of the filenames (escaped and unescaped) are unsafe.
I guess the last one is the “safest option”.
For a quick fix, 3 is probably the best.
Did you mean 1? After having checked to implement 3, there's many parts
of the code that need to be changed and moved around, I'll try to cook
an actual patch to see how bad it is though.
I had assumed that the patch for 3 would we straightforward. If this is
not the case, then I'd go for 1 for now, and maybe we'll figure out
something better later. Of course, Security Team's option may vary.
There's also the newly supported git formatted patches now recognized
by patch, “fortunately” Dpkg::Source::Patch does not understand them
and because it creates any necessary directories (or what looks like
one), I don't see a way it can be exploited. But I might be short on
imagination at this moment.
Oh, I completely forgot about git patches. I have a hunch that there's a
clever way to exploit them. :\
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-dpkg-bugs-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
