[diffoscope] 03/03: comparators.squashfs: Extract archive in one go rather than per-file, speeding up ISO comparison by ~10x
Ximin Luo
infinity0 at debian.org
Mon Mar 20 16:39:00 CET 2017
Chris Lamb:
> Hi Ximin,
>
>>> commit 52b70b269e4faa31dba92799f57cc135dcb60832
>>> Author: Chris Lamb <lamby at debian.org>
>>>
>>> comparators.squashfs: Extract archive in one go rather
>>> than per-file, speeding up ISO comparison by ~10x
>>
>> Hi Chris, do you know if it is possible for squashfs images to
>> contain tricky paths like /evil/path or ../../../../evil/path
>
> I've never *seen* such a thing but if this were the case we would be
> vulnerable regardless of whether we extracted per file or per archive;
> the exploit — if it exists — would be in unsquashfs.
>
Well, that would still be a security issue that leaves our users vulnerable - and if so we should report and probably fix it in unsquashfs since upstream is AWOL.
Can you please investigate this further? I will look into the Tails / DOS/MBR issue.
X
--
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
More information about the diffoscope
mailing list