[SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
From: "Niels Thykier" <niels@thykier.net>
Date: Tue, 16 Apr 2013 16:04:07 +0000
Message-id: <[🔎] E1US8MZ-00008P-4O@vasks.debian.org>

The following commit has been merged in the wheezy branch:
commit 684a310d02629f7119e99ca3755b0723f2babc2d
Author: Niels Thykier <niels@thykier.net>
Date:   Fri Apr 5 10:15:25 2013 +0200

    coll/*: Fix traversal via symlink in multiple collections
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/collection/copyright-file b/collection/copyright-file
index afcb04e..c94e4bf 100755
--- a/collection/copyright-file
+++ b/collection/copyright-file
@@ -23,7 +23,7 @@ use strict;
 use warnings;
 
 use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Util qw(fail gunzip_file touch_file);
+use Lintian::Util qw(fail gunzip_file is_ancestor_of touch_file);
 
 use File::Copy qw(copy);
 
@@ -34,6 +34,14 @@ if ( -e "$dir/copyright" ) {
     unlink "$dir/copyright" or fail "unlink copyright: $!";
 }
 
+if (-d "$dir/unpacked/usr/share/doc/$pkg"
+      && !is_ancestor_of("$dir/unpacked", "$dir/unpacked/usr/share/doc/$pkg")) {
+    # if the parent dir is outside the package, just stop here before we
+    # do something we will regret.
+    touch_file("$dir/copyright");
+    return;
+}
+
 my $file = "$dir/unpacked/usr/share/doc/$pkg/copyright";
 
 # If copyright was a symlink, we need to make a copy of it.  Just hardlinking
diff --git a/collection/doc-base-files b/collection/doc-base-files
index d9aeec1..d204db2 100755
--- a/collection/doc-base-files
+++ b/collection/doc-base-files
@@ -24,7 +24,7 @@ use strict;
 use warnings;
 
 use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Util qw(copy_dir delete_dir fail);
+use Lintian::Util qw(copy_dir delete_dir fail is_ancestor_of);
 
 ($#ARGV == 2) or fail 'syntax: doc-base-files <pkg> <type> <dir>';
 my ($pkg, $type, $dir) = @ARGV;
@@ -35,6 +35,11 @@ if ( -e "$dir/doc-base") {
 }
 
 if ( -d "$dir/unpacked/usr/share/doc-base") {
+    if (!is_ancestor_of("$dir/unpacked", "$dir/unpacked/usr/share/doc-base")) {
+        # Unsafe
+        mkdir ("$dir/doc-base", 0777) or fail "cannot mkdir doc-base: $!";
+        return;
+    }
     copy_dir ("$dir/unpacked/usr/share/doc-base", "$dir/doc-base")
         or fail('cannot copy directory unpacked/usr/share/doc-base');
 } else {
diff --git a/collection/init.d b/collection/init.d
index ddc27d2..e94b7da 100755
--- a/collection/init.d
+++ b/collection/init.d
@@ -23,7 +23,7 @@ use strict;
 use warnings;
 
 use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Util qw(copy_dir delete_dir fail);
+use Lintian::Util qw(copy_dir delete_dir fail is_ancestor_of);
 
 ($#ARGV == 2) or fail('syntax: init.d <pkg> <type> <dir>');
 my ($pkg, $type, $dir) = @ARGV;
@@ -34,6 +34,12 @@ if (-e "$dir/init.d") {
 }
 
 if (-d "$dir/unpacked/etc/init.d") {
+    if (!is_ancestor_of("$dir/unpacked", "$dir/unpacked/etc/init.d")) {
+        # Unsafe, stop
+        mkdir ("$dir/init.d", 0777) or fail "cannot mkdir init.d: $!";
+        return;
+    }
+
     copy_dir("$dir/unpacked/etc/init.d", "$dir/init.d")
         or fail('cannot copy init.d directory');
 } else {
diff --git a/collection/menu-files b/collection/menu-files
index 15fc69a..0d538fe 100755
--- a/collection/menu-files
+++ b/collection/menu-files
@@ -23,7 +23,7 @@ use strict;
 use warnings;
 
 use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Util qw(copy_dir delete_dir fail);
+use Lintian::Util qw(copy_dir delete_dir fail is_ancestor_of);
 
 ($#ARGV == 2) or fail('syntax: menu-files <pkg> <type> <dir>');
 my ($pkg, $type, $dir) = @ARGV;
@@ -42,6 +42,11 @@ $dirs{'methods'} = 'etc/menu-methods';
 
 while (my ($shortn, $path) = each %dirs) {
     if (-d "$dir/unpacked/$path") {
+        if (!is_ancestor_of("$dir/unpacked", "$dir/unpacked/$path")) {
+            # Unsafe, skip
+            mkdir ("$dir/menu/$shortn", 0777) or fail ("cannot mkdir menu/$shortn: $!");
+            next;
+        }
          copy_dir ("$dir/unpacked/$path", "$dir/menu/$shortn")
             or fail("cannot copy unpacked/$path/ directory");
     } else {
diff --git a/collection/override-file b/collection/override-file
index 2256267..678d7ec 100755
--- a/collection/override-file
+++ b/collection/override-file
@@ -24,7 +24,7 @@ use strict;
 use warnings;
 
 use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Util qw(fail gunzip_file);
+use Lintian::Util qw(fail gunzip_file is_ancestor_of);
 
 ($#ARGV == 2) or fail('syntax: override-file <pkg> <type> <dir>');
 my ($pkg, $type, $dir) = @ARGV;
@@ -52,6 +52,11 @@ for my $override (@overrides) {
     }
 }
 
+if (defined $file and !is_ancestor_of("$dir/unpacked", $file)) {
+    # unsafe, pretend we didn't see it.
+    undef $file;
+}
+
 if (not defined $file) {
     # no override found
 } elsif ($file =~ /\.gz$/) {
diff --git a/debian/changelog b/debian/changelog
index 161042e..dd6fb51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,8 @@ lintian (2.5.10.5) unstable; urgency=low
     + [NT] Fix path traversal issue that could leak information
       about the host system.
 
+  * collection/*:
+    + [NT] Avoid reading files outside the package root.
   * collection/{changelog-file,debian-readme}:
     + [NT] Ignore files in usr/doc/<pkg>.
     + [NT] Skip collection if usr/share/doc/<pkg> is not contained

-- 
Debian package checker

Reply to:

Prev by Date: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
Next by Date: Processing of lintian_2.5.12_amd64.changes
Previous by thread: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
Next by thread: Processing of lintian_2.5.12_amd64.changes
Index(es):
- Date
- Thread