tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nasty patches in pkgsrc regarding CVE-2010-4651: relative paths with ../



On Fri, 3 Jul 2026 12:31:07 +0200
"Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost> wrote:

> What is the stance on this in the NetBSD project and pkgsrc? Is it good
> to rely on behaviour that has been deemed a serious vulnerability by
> $some_people? Should the patches be rather applied from the containing
> directory, avoiding the ../ in them?

Agreed this is a bit of a hack. That said, the patches are only applied
if the distinfo checksum passes, so that significantly reduces any
attack surface. If I were to conduct a supply chain attack in
pkgsrc-wip I would not rely on this mechanism because it is evident to
anyone who reads diffs posted to the mailing list.

If you have a cleaner method to apply patches from $WRKDIR
instead of $WRKSRC, please make a proposal. Bonus points awarded if
it works with mkpatches.

Q: is GNU patch happy to apply those patches with -p1?

-Tobias


Home | Main Index | Thread Index | Old Index