On 2024-12-25 08:13:37, Johannes Schauer Marin Rodrigues wrote:
> commits without any rationale behind them are the best </scarcasm>

Ugh, wtf.

Uh. So it looks like this is a feature of zstd that it won't follow
symlinks when reading compressed files!!

So i guess this is not a bug in sbuild after all, but specifically about
zstd tarballs. Sigh.

> This also reminds me of #1089105 which comes down to zstd not accepting
> compressed data on stdin and writing the uncompressed result to stdout without
> also passing --force. Seems entirely unintuitive to me...

Is it worth filing this against zstd and affecting sbuild maybe?

> Thank you for having found this. Maybe we should just call zstd with '--force'
> and call it a dway...

That seems dangerous in many ways: zstd setup this thing which sounds to
me like a security feature, albeit poorly documented...

If I read this right, there's even a TOCTOU bug in there, because we're
checking symlinks before use, and and an attacker could replace a file
with a symlink later. Anyway.

Not sure what to do about this, I think the best might possibly be to
move this to the zstd package...

Sorry for all the trouble! :)

a.

-- 
One has a moral responsibility to disobey unjust laws.
                        - Martin Luther King, Jr.

Reply via email to