[diffoscope] 03/03: comparators.squashfs: Extract archive in one go rather than per-file, speeding up ISO comparison by ~10x

Ximin Luo infinity0 at debian.org
Mon Mar 20 16:39:00 CET 2017


Chris Lamb:
> Hi Ximin,
> 
>>> commit 52b70b269e4faa31dba92799f57cc135dcb60832
>>> Author: Chris Lamb <lamby at debian.org>
>>>
>>>     comparators.squashfs: Extract archive in one go rather
>>>     than per-file, speeding up ISO comparison by ~10x
>>
>> Hi Chris, do you know if it is possible for squashfs images to
>> contain tricky paths like /evil/path or ../../../../evil/path
> 
> I've never *seen* such a thing but if this were the case we would be
> vulnerable regardless of whether we extracted per file or per archive;
> the exploit — if it exists — would be in unsquashfs.
> 

Well, that would still be a security issue that leaves our users vulnerable - and if so we should report and probably fix it in unsquashfs since upstream is AWOL.

Can you please investigate this further? I will look into the Tails / DOS/MBR issue.

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git


More information about the diffoscope mailing list