On 2024-12-25 08:13:37, Johannes Schauer Marin Rodrigues wrote:
> commits without any rationale behind them are the best </scarcasm>
Ugh, wtf.
Uh. So it looks like this is a feature of zstd that it won't follow
symlinks when reading compressed files!!
So i guess this is not a bug in sbuild after all, but specifically about
zstd tarballs. Sigh.
> This also reminds me of #1089105 which comes down to zstd not accepting
> compressed data on stdin and writing the uncompressed result to stdout without
> also passing --force. Seems entirely unintuitive to me...
Is it worth filing this against zstd and affecting sbuild maybe?
> Thank you for having found this. Maybe we should just call zstd with '--force'
> and call it a dway...
That seems dangerous in many ways: zstd setup this thing which sounds to
me like a security feature, albeit poorly documented...
If I read this right, there's even a TOCTOU bug in there, because we're
checking symlinks before use, and and an attacker could replace a file
with a symlink later. Anyway.
Not sure what to do about this, I think the best might possibly be to
move this to the zstd package...
Sorry for all the trouble! :)
a.
--
One has a moral responsibility to disobey unjust laws.
- Martin Luther King, Jr.
