tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nasty patches in pkgsrc regarding CVE-2010-4651: relative paths with ../





On Fri, 3 Jul 2026 at 10:15, Greg Troxel <gdt%lexort.com@localhost> wrote:
Alistair Crooks <alistaircrooks%gmail.com@localhost> writes:

>> 2) Add patches-wrkdir *additionally* for patches based on wrkdir.  Teach
>> mkpatches to put patches within WRKSRC in patches, and other patches in
>> patches-wrkdir
>>
>
> I'm still not sure this is a good idea :(
>
> But I do agree that relative paths in patch files, all 180+ of them, should
> not exist. Good catch

I'm not sure either.

What is your approach?

I've not really thought about it, and real life has intrudded today, but...

I'd be inclined to add a directory under ${WRKDIR} in places where relative patches would occur - in the Makefile as WRKSRC_INDIRECT or similar. Normally this directory name would not be needed, so the default case is blank. I'd introduce an internal  _PATCHBASE variable to set the directory to use as the root for patching, depending upon WRKSRC_INDIRECT. Adjust mkpatches as necessary. Add a pkglint check for relative directories in patch files.

However, I haven't tried any of this, so I've no idea whether it would fly, or what the corner cases are.

In general, the idea is to only patch under WRKSRC, introduce as few complications and/or unnecessaries as possible, and don't allow relative patches.

Best,
Al


Home | Main Index | Thread Index | Old Index