On Sun, Jul 24, 2005, Ralf S. Engelschall wrote: > On Sun, Jul 24, 2005, Matthias Kurz wrote: > > > On Sun, Jul 24, 2005, Ralf S. Engelschall wrote: > > > > > On Sun, Jul 24, 2005, Matthias Kurz wrote: > > > > > > > There is something wrong. I guess with the patch, but i do not know > > > > the background... > > > > > > > > Well, the problem is that when a path to a file is given the result > > > > ends in the current dir and not in the "original" dir. > > > > Example: gzip /foo/bar/baz creates ./baz.gz instead of /foo/bar/baz.gz > > > > > > Yes, AFAIK this nasty semantic change is > > > part of the security fix corresponding to > > > http://www.openpkg.org/security/OpenPKG-SA-2005.009-gzip.html Hmmm... > > > I'm wondering how one can adjust the patch to still fix the security > > > issue and keep the old semantics...? > > > > Is anybody working on this ? > > Not as far as I know. > > > I looked around and "found" the following thread: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 > > There is a better patch that removes the dirname part in > > gzip.c:get_method() (where it is taken from the compressed file). > > Hey, cool. Feel free to come up with a patch providing a more reasonable > solution than what we currently have in the OpenPKG package(s).
Well, the patch in the mentioned mail thread looks ok to me. And it works. Also, looking at the bug description, it turns out that the filename field in the .gz file was never meaned to hold directory informations - so the '-N' option is also not crippled. I'm going to change the patch in "gzip" and will copy over the patched gzip.c to the "openpkg" CURRENT package. (mk) -- Matthias Kurz; Fuldastr. 3; D-28199 Bremen; VOICE +49 421 53 600 47 >> Im prämotorischen Cortex kann jeder ein Held sein. (bdw) << ______________________________________________________________________ The OpenPKG Project www.openpkg.org Developer Communication List openpkg-dev@openpkg.org
