I'm having some trouble sponsoring this debdiff. Here's a cleaned up version of a chat I had with Simon about this:
tyhicks> tsimonq2: hey - what am I supposed to do with tar_relative_path_outside_archive.tar.bz2 for bug #1712948? debian/source/include-binaries is not well documented... tyhicks> tsimonq2: also, is there any use in including the autotest/ changes? I don't see where they're ever used tsimonq2> tyhicks: With the tar, the patch file has the location iirc tsimonq2> tyhicks: And the autotest/ changes are from the upstream commit iirc, so that can also help with regression testing (I don't see a reason to exclude them) tyhicks> tsimonq2: when do the tests get run? tsimonq2> But the tests added *should* be ran tyhicks> tsimonq2: I applied your debdiff, without downloading the tarball and the build was successful which indicates to me that autotest/ isn't used tyhicks> tsimonq2: I then downloaded the tarball to autotest/tar_relative_path_outside_archive.tar.bz2 and the source package build failed with http://paste.ubuntu.com/25485048/ tyhicks> tsimonq2: so the gist is that I don't know how you built the package with the tarball and, because of that, I'd like to know whether it is even worth the trouble to include the autotest/ changes at all tyhicks> tsimonq2: if it is worth it, then I need some more info on what to do with the tarball ** Changed in: karchive (Ubuntu Xenial) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1712948 Title: [CVE] KNewstuff downloads can install files outside the extraction directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/karchive/+bug/1712948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
