On Mon, Mar 12, 2007 at 04:05:58PM -0500, Tom 'spot' Callaway wrote: > On Mon, 2007-03-12 at 16:30 -0400, Bill Nottingham wrote: > > Rex Dieter (rdieter@xxxxxxxxxxxx) said: > > > How is that a race exactly? rm doesn't exit/return until it is done, afaik. > > > > Someone could pre-make the build root in between the rm and mkdir calls. > > Erm, ok. In the buildsystem, this should never happen (hooray mock), but > when building on a multi-user system, I can see the remote possibility. Hey, our new preferred buildroot makes it even harder to guess the Buildroot name, hooray2 ;) > It would be far easier for an attacker to leverage wildcarding in %files > while a package is building, wait for it to perform make install, then > slide in their malicious bits. How would the attacker do that if the buildroot belongs to another user? -- Axel.Thimm at ATrpms.net
Attachment:
pgpsZT9HI0Ogh.pgp
Description: PGP signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
