Re: [Po4a-devel] po4a against untrusted content

Hi, Nicolas François wrote (15 Jan 2009 23:15:19 GMT) : Thanks. My ikiwiki po plugin now disables the use of Text::WrapI18n, if the installed po4a version is recent enough (currently means: CVS). I obviously would prefer this too. But last time I checked, your proposed patch had received no answer from libtext-wrapi18n-perl maintainer. I'm not familiar enough with Debian security process to know how seriously this potential denial of service would be taken by these teams, in particular at a time when testing is frozen and release is imminent (yeah). $ apt-cache rdepends libtext-wrapi18n-perl libtext-wrapi18n-perl Reverse Depends: po4a po4a module-assistant docbook2x debconf-i18n On the one hand, module-assistant and debconf-i18n are often, or usually, run with root credentials. On the other hand, they are run against input data that has been uploaded into Debian, and thus can be considered as somehow trusted... else you've got harder problems to solve. docbook2x commands may be run by a user against untrusted data. This package has no reverse dependencies. I can not think of a situation where one would need to run them as root against untrusted data, especially in an automated, non-interactive way, so it seems to me the worse that can happen is having to hit Ctrl-C after a few minutes lost waiting for the infinite loop to eventually end. As a conclusion, my non-DD opinion on this topic is: this bug should be fixed in Lenny, and thus deserves a NMU (if needed) and a freeze exception, but a DSA would probably be a bit too much. Bye, -- intrigeri <intrigeri(a)boum.org&gt; | gnupg key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | If you must label the absolute, use it's proper name: Temporary.