[SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
From: "Raphael Geissert" <atomo64@gmail.com>
Date: Wed, 27 Jan 2010 18:43:33 +0000
Message-id: <[🔎] E1NaCrU-0000OE-VB@alioth.debian.org>

The following commit has been merged in the etch branch:
commit 50c695093a9905b31d36eecea713519394d5bca1
Author: Raphael Geissert <atomo64@gmail.com>
Date:   Tue Jan 26 00:45:51 2010 -0600

    Fix CVE-2009-4015, arbitrary command execution
    
    File names were not properly escaped when passing them as arguments to
    certain commands, allowing the execution of other commands as pipes or
    as a set of shell commands.

diff --git a/checks/debhelper b/checks/debhelper
index 4da3aab..e2d6a22 100644
--- a/checks/debhelper
+++ b/checks/debhelper
@@ -150,7 +150,7 @@ while (defined(my $file=readdir(DEBIAN))) {
     if ($file =~ m/^(?:(.*)\.)?(?:post|pre)(?:inst|rm)$/) {
 	
         my $binpkg = $1 || '';
-	open(IN,"debfiles/$file")
+	open(IN,'<',"debfiles/$file")
 	    or fail("Can't open debfiles/$file: $!");
 	my $seentag = '';
 	while (<IN>) {
diff --git a/checks/files b/checks/files
index 11f48b6..f1bba53 100644
--- a/checks/files
+++ b/checks/files
@@ -199,7 +199,7 @@ while (<IN>) {
 		# gzipped zero byte files:
 		# 276 is 255 bytes (maximal length for a filename) + gzip overhead
 		if ($file =~ m,.gz$, and $size <= 276 and $perm =~ m,^-,) {
-		    unless (`gzip -dc unpacked/$file`) {
+		    unless (`gzip -dc unpacked/\Q$file\E`) {
 			tag "zero-byte-file-in-doc-directory", "$file";
 		    }
 		}
diff --git a/checks/infofiles b/checks/infofiles
index f5c718e..5471764 100644
--- a/checks/infofiles
+++ b/checks/infofiles
@@ -162,7 +162,7 @@ sub check_script {
     my ($no_check_menu,$no_check_installdocs);
     my $interp;
 
-    open(IN,"control/$script") or
+    open(IN,'<',"control/$script") or
 	fail("cannot open maintainer script control/$script for reading: $!");
     $interp = <IN>;
     if ($interp =~ m,^\#\!\s*/bin/(a|ba|k|pdk)?sh,) {
diff --git a/checks/init.d b/checks/init.d
index 1098cbc..e36129a 100644
--- a/checks/init.d
+++ b/checks/init.d
@@ -152,7 +152,7 @@ for (keys %initd_postinst) {
     my $initd_file = "init.d/$_";
     if (-f $initd_file) {
 	# yes! check it...
-	open(IN,$initd_file) or fail("cannot open init.d file $initd_file: $!");
+	open(IN,'<',$initd_file) or fail("cannot open init.d file $initd_file: $!");
 	my (%tag, %lsb);
 	while (defined(my $l = <IN>)) {
 	    if ($l =~ m/^\#\#\# BEGIN INIT INFO/) {
diff --git a/checks/menu-format b/checks/menu-format
index da20fe2..8422a03 100644
--- a/checks/menu-format
+++ b/checks/menu-format
@@ -141,7 +141,7 @@ foreach my $menufile (@menufiles) {
     next if $basename eq "README"; # README is a special case
 
     my $menufile_line ="";
-    open (IN, $menufile) or
+    open (IN, '<', $menufile) or
 	fail("cannot open menu file $menufile for reading.");
     # line below is commented out in favour of the while loop
     # do { $_=<IN>; } while defined && (m/^\s* \#/ || m/^\s*$/);
@@ -465,7 +465,7 @@ sub VerifyIcon {
 	$iconfile = "unpacked/usr/share/pixmaps/$icon";
     }
 
-    if (! open IN, $iconfile) {
+    if (! open IN, '<', $iconfile) {
 	tag "menu-icon-missing", "$icon";
 	return;
     }
diff --git a/checks/po-debconf b/checks/po-debconf
index 9c9a22b..34eabc2 100644
--- a/checks/po-debconf
+++ b/checks/po-debconf
@@ -144,7 +144,7 @@ while (defined(my $file=readdir(DEBIAN))) {
         }
         tag "unknown-encoding-in-po-file", "debian/po/$file"
                 unless length($charset);
-	system_env("msgfmt -o /dev/null debfiles/po/$file 2>/dev/null") == 0
+	system_env("msgfmt -o /dev/null debfiles/po/\Q$file\E 2>/dev/null") == 0
 		or tag "invalid-po-file", "debian/po/$file";
 }
 
diff --git a/checks/scripts b/checks/scripts
index 9e3bfb6..ae5c2ec 100644
--- a/checks/scripts
+++ b/checks/scripts
@@ -439,7 +439,7 @@ while (<SCRIPTS>) {
 # print "E: something" unless exists $maintainer_scripts{$file}
 
     # now scan the file contents themselves
-    open C, "$filename"
+    open C, '<', "$filename"
 	or fail("cannot open maintainer script $filename for reading: $!");
 
     my %warned;
@@ -649,7 +649,7 @@ sub tag_warn {
 sub script_is_evil_and_wrong {
     my ($filename) = @_;
     my $ret = 0;
-    open IN, $filename or fail("cannot open $filename: $!");
+    open IN, '<', $filename or fail("cannot open $filename: $!");
     my $i = 0;
     local $_;
     while (<IN>) {
diff --git a/lib/Util.pm b/lib/Util.pm
index 5ff51c5..07c7744 100644
--- a/lib/Util.pm
+++ b/lib/Util.pm
@@ -121,7 +121,7 @@ sub read_dpkg_control {
     }
 
     my $CONTROL = FileHandle->new;
-    open($CONTROL,$file)
+    open($CONTROL,'<',$file)
 	or fail("cannot open control file $file for reading: $!");
     my @data = parse_dpkg_control($CONTROL, $debconf_flag);
     close($CONTROL)
@@ -193,7 +193,7 @@ sub file_is_encoded_in_non_utf8 {
 	my ($file, $type, $pkg) = @_;
 	my $non_utf8 = 0;
 	
-	open ICONV, "env LANG=C iconv -f utf8 -t utf8 $file 2>&1 |"
+	open ICONV, "env LANG=C iconv -f utf8 -t utf8 \Q$file\E 2>&1 |"
 	    or fail("failure while checking encoding of $file for $type package $pkg");
 	my $line = 1;
 	while (<ICONV>) {

-- 
Debian package checker

Reply to:

Prev by Date: [SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
Next by Date: [SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
Previous by thread: [SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
Next by thread: [SCM] Debian package checker branch, etch, updated. fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
Index(es):
- Date
- Thread