Risk of using rpm parser?

Miroslav Suchý msuchy at redhat.com
Wed Mar 5 12:31:11 UTC 2014

On 03/03/2014 01:11 PM, Florian Weimer wrote:
> Parsing the src.rpm is unsafe (or more precisely, the spec file in it).  This is by design, no exploit is needed.

I meant parsing final RPMs. I should rather say querying.

> Parsing the final RPMs can be made safe in theory

And in practice? :)
What would be interrest for me is Requires, Provides, Description... and probably list of files (but not their content).

Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys

More information about the Rpm-list mailing list