projects / ostree.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 597da6c) | patch
repo: Only apply setuid/xattrs after checksum validation
authorColin Walters <walters@verbum.org>
Thu, 29 Aug 2013 23:26:00 +0000 (19:26 -0400)
committerColin Walters <walters@verbum.org>
Mon, 2 Sep 2013 19:31:55 +0000 (15:31 -0400)
commitdd7d2f7b43bf4d9a5bdd8af318318aadc84ec38b
tree529987e2a09cf6e7a16163cb883ab4924edbdbb4tree | snapshot
parent597da6ca6bdddd0c50aa31f1faf8749ebcae144ccommit | diff
repo: Only apply setuid/xattrs after checksum validation

See the new comment in the source; basically if we're fetching content
over http, then someone with the capability to MITM the network could
create a transient setuid binary on disk with arbitrary content.  If
they also had a process running on the system (such as an application)
it could be escalated to root.

https://bugzilla.gnome.org/show_bug.cgi?id=707139
src/libgsystem diff | blob | history
src/libostree/ostree-repo.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.