ville.skytta@xxxxxx (Ville Skyttä) writes: >> > %install >> > rm -rf $RPM_BUILD_ROOT >> > mkdir $RPM_BUILD_ROOT # this fails when $RPM_BUILD_ROOT already exists >> >> Will work; > > ...but will break in setups where some subdirs of $RPM_BUILD_ROOT are missing > before %install. This wouldn't suffer from that drawback: > > %install > rm -rf $RPM_BUILD_ROOT > mkdir -p $(dirname $RPM_BUILD_ROOT) ; mkdir $RPM_BUILD_ROOT ... but opens a new attack vector because attacker could do | mkdir -m777 -p $(dirname $RPM_BUILD_ROOT) | ... wait until victim executes the first 2 %install lines | mv $RPM_BUILD_ROOT $(dirname $RPM_BUILD_ROOT)/old-buildroot | mkdir $RPM_BUILD_ROOT (easy to automate by some inotify in $(dirname $RPM_BUILD_ROOT)) Enrico
Attachment:
pgpdURv20UZY7.pgp
Description: PGP signature
-- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
