From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758644AbbA0PrP (ORCPT ); Tue, 27 Jan 2015 10:47:15 -0500 Received: from plane.gmane.org ([80.91.229.3]:34088 "EHLO plane.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753855AbbA0PrM (ORCPT ); Tue, 27 Jan 2015 10:47:12 -0500 X-Injected-Via-Gmane: http://gmane.org/ To: linux-kernel@vger.kernel.org From: Andreas Gruenbacher Subject: Re: patch-2.7.3 no longer applies relative symbolic link patches Date: Tue, 27 Jan 2015 15:47:04 +0000 (UTC) Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 80-110-112-196.cgn.dynamic.surfer.at User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2) Cc: git@vger.kernel.org Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 26 Jan 2015 13:50:10 -0800, Linus Torvalds wrote: > On Mon, Jan 26, 2015 at 1:35 PM, Junio C Hamano > wrote: >> >> What is your take on CVE-2015-1196, which brought this /regression/ to >> GNU patch? >> If "git apply" get /fixed/ for that same CVE, would that /break/ your >> fix? > > I _think_ we allow arbitrary symlinks to be created, but then we should > be careful about actually _following_ them. I would prefer to allow arbitrary symlinks even in GNU patch, but patch still must not be allowed to leave the working directory. The only way to achieve that I can think of is to implement path traversal in user space, which is not so easy to do correctly and efficiently. I think file system modifications from "outside" are not much of a concern. Andreas