tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: nasty patches in pkgsrc regarding CVE-2010-4651: relative paths with ../





On Fri, Jul 3, 2026 at 04:19 Greg Troxel <gdt%lexort.com@localhost> wrote:
Tobias Nygren <tnn%NetBSD.org@localhost> writes:

> If you have a cleaner method to apply patches from $WRKDIR
> instead of $WRKSRC, please make a proposal. Bonus points awarded if
> it works with mkpatches.

Three proposals

0) Ask the rust world to mend their ways.

Would be good, yes


1) Change our rules for patches to be baed in WRKDIR instead.

This would be problematic - we have enough games to play with getting the directory name correct in WRKSRC, and to have todo that for all patches too? 

Beyond that, and taking a more objective stance, we should be patching the source code. WRKDIR includes stuff that is not source code, but can influence the build. I'm reluctant to go down that route, despite all the eyeballs, as tnn notes


2) Add patches-wrkdir *additionally* for patches based on wrkdir.  Teach
mkpatches to put patches within WRKSRC in patches, and other patches in
patches-wrkdir

I'm still not sure this is a good idea :(

But I do agree that relative paths in patch files, all 180+ of them, should not exist. Good catch



Home | Main Index | Thread Index | Old Index