On 2025-01-02 19:17:38, Johannes Schauer Marin Rodrigues wrote:
> Hi,
>
> Quoting Antoine Beaupré (2025-01-01 03:52:54)
>> > Essentially, we do not pass a path to zstd anymore but we let sbuild open
>> > the path and then pass the filedescriptor to what we opened to zstd via its
>> > standard input.
>>
>> Ah yes, that would work of course!
>>
>> Probably harmless in terms of security too... riiight? :)
>
> yes. Do you have any suspicions why it would not be harmless?
For reading files? Not really. And especially in this context, where the
cache directory is owned by the user, I can't really think of an attack
vector there that wouldn't already otherwise give the attacker RCE
access (ie. if i can write to your ~/.cache i can write to your
~/.bashrc).
a.
--
Any sufficiently advanced technology is indistinguishable from magic.
- Arthur C. Clarke
