On Sat, Mar 02, 2019 at 08:19:11PM +1000, Allan McRae wrote: > Deltas are broken. So much so that I would strongly recommend never > using a delta from a repo that you did not generate yourself. In short, > we call "system(command)", with a command that includes the name of > a delta file, and the name of the package file before and after applying > the delta. The name of the delta and the package files is controlled by > the information in the repo, and could contain a malicious command to be > run as root. > > We could possibly work around this, but it is a very risky piece of code > and I believe it would be very hard to fully secure. Instead, I propose > to remove delta support completely.
This issue was assigned CVE-2019-18183. https://security.archlinux.org/CVE-2019-18183 -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
