[SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
The following commit has been merged in the etch branch:
commit 0e60e80b25206c3fb0ab1fd6bbbc4a8a4ca08e9f
Author: Raphael Geissert <atomo64@gmail.com>
Date: Mon Jan 25 23:21:57 2010 -0600
Fix CVE-2009-4013, missing control files sanitation
Control field names and values were not sanitised before using them
in certain operations that could lead to directory traversals.
An attacker could exploit these vulnerabilities to overwrite arbitrary
files.
diff --git a/checks/fields b/checks/fields
index dbb4494..fd5e4d5 100644
--- a/checks/fields
+++ b/checks/fields
@@ -778,8 +778,12 @@ if (open(FH, "fields/python-version")) {
#----- Field checks (without checking the value)
-for my $field (glob("fields/*")) {
- $field =~ s!^fields/!!;
+opendir(FIELDS, 'fields/')
+ or fail("cannot read fields/ directory: $!");
+for my $field (readdir FIELDS) {
+ next if ($field eq '.' || $field eq '..');
+
+ $field =~ s,:,/,g;
tag "obsolete-field", "$field"
if $known_obsolete_fields{$field};
@@ -793,6 +797,7 @@ for my $field (glob("fields/*")) {
tag "unknown-field-in-control", "$field"
if ($type eq "udeb" && ! $known_udeb_fields{$field} && ! $known_obsolete_fields{$field});
}
+closedir(FIELDS);
}
diff --git a/collection/source-control-file b/collection/source-control-file
index a5d8d03..5b7ca15 100755
--- a/collection/source-control-file
+++ b/collection/source-control-file
@@ -43,10 +43,12 @@ foreach (@control_data) {
mkdir "control/$pkg_name", 0777
or fail( "can't create dir control/$pkg_name: $!" );
for my $field (keys %$_) {
+ my $value = $_->{$field};
+ $field =~ s,/,:,g;
my $field_file = "control/$pkg_name/$field";
open F, ">", "$field_file"
or fail("cannot open file $field_file for writing: $!");
- print F $_->{$field},"\n";
+ print F $value,"\n";
close F;
}
}
diff --git a/frontend/lintian b/frontend/lintian
index 14f31a2..676f7ac 100755
--- a/frontend/lintian
+++ b/frontend/lintian
@@ -663,6 +663,9 @@ while (my $arg = shift) {
next if $_ eq '';
my ($md5sum,$size,$section,$priority,$file) = split(/\s+/o, $_);
+
+ next if ($file =~ m,/,);
+
my $filename = $arg_dir . '/' . $file;
# check size
@@ -1557,6 +1560,13 @@ sub get_src_info_from_lab {
sub schedule_package {
my ($type,$pkg,$ver,$file) = @_;
+ if ( $pkg =~ m,/, ) {
+ warn(sprintf("warning: bad name for %2\$s package '%1\$s', skipping\n",
+ $pkg, $type eq 'b' ? 'binary' : ($type eq 's' ? 'source': 'udeb')));
+ return;
+ }
+
+
my $s = "$type $pkg $ver $file";
if ( $already_scheduled{$s}++ ) {
diff --git a/unpack/unpack-binpkg-l1 b/unpack/unpack-binpkg-l1
index 5437045..00d154f 100755
--- a/unpack/unpack-binpkg-l1
+++ b/unpack/unpack-binpkg-l1
@@ -83,13 +83,17 @@ $data->{'source'} or ($data->{'source'} = $data->{'package'});
# create control field files
for my $field (keys %$data) {
+ my $value = $data->{$field};
+ $field =~ s,/,:,g;
my $field_file = "$base_dir/fields/$field";
open(F,">$field_file") or fail("cannot open file $field_file for writing: $!");
- print F $data->{$field},"\n";
+ print F $value,"\n";
close(F);
}
-# create symlink to source package
-symlink("../../source/$data->{'source'}","$base_dir/source") or fail("symlink: $!");
+if ($data->{'source'} !~ m,/,) {
+ # create symlink to source package
+ symlink("../../source/$data->{'source'}","$base_dir/source") or fail("symlink: $!");
+}
exit 0;
diff --git a/unpack/unpack-srcpkg-l1 b/unpack/unpack-srcpkg-l1
index 464efed..aeea525 100755
--- a/unpack/unpack-srcpkg-l1
+++ b/unpack/unpack-srcpkg-l1
@@ -48,9 +48,11 @@ mkdir("$base_dir/fields", 0777) or fail("mkdir $base_dir/fields: $!");
# create control field files
for my $field (keys %$data) {
+ my $value = $data->{$field};
+ $field =~ s,/,:,g;
my $field_file = "$base_dir/fields/$field";
open(F,">$field_file") or fail("cannot open file $field_file for writing: $!");
- print F $data->{$field},"\n";
+ print F $value,"\n";
close(F);
}
@@ -61,12 +63,14 @@ symlink($file,"$base_dir/dsc") or fail("cannot symlink dsc file: $!");
for my $fs (split(/\n/,$data->{'files'})) {
next if $fs =~ /^\s*$/o;
my @t = split(/\s+/o,$fs);
+ next if ($t[2] =~ m,/,);
symlink("$dir/$t[2]","$base_dir/$t[2]") or fail("cannot symlink file $t[2]: $!");
}
# Create symbolic links to binary packages
mkdir("$base_dir/binary", 0777) or fail("mkdir $base_dir/binary: $!");
for my $bin (split(/,\s+/o,$data->{'binary'})) {
+ next if ($bin =~ m,/,);
symlink("../../../binary/$bin", "$base_dir/binary/$bin") or fail("cannot symlink binary package $bin: $!");
}
--
Debian package checker
Reply to: