tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nasty patches in pkgsrc regarding CVE-2010-4651: relative paths with ../



"Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost> writes:

> --- ../vendor/faster-hex-0.9.0/src/lib.rs.orig	2024-02-10 21:16:02.053719873 +0000
> +++ ../vendor/faster-hex-0.9.0/src/lib.rs

I think it's fair of patch to restrict application to $cwd and below,
and see it as a bug that our patch doesn't do that.

I recently fixed a package that set WRKSRC to a package subdirectory.
That would be ok, except that sources not in WRKSRC (in what WRKSRC
would be, but not in that specific subdir) are used, and they are
patched.   mkpatches didn't find them.

The fix was to set WRKSRC back to top level and use BUILD_DIRS instead.


With faux-vendored code as rust likes to do, it's exposing that the
pkgsrc patch scheme is really about WRKSRC, and we don't have a good way
to patch not-WRKSRC.   I don't see any good approaches other than
explicitly supporting patches to paths in WRKDIR that aren't in WRKSRC,
somehow.


Home | Main Index | Thread Index | Old Index