[SCM] Debian package checker branch, lenny, updated. 1.24.2.1-4-gc8d01f0
The following commit has been merged in the lenny branch:
commit c94ce1221383ebc939f337ca9ebcb1e87c6cfe39
Author: Raphael Geissert <atomo64@gmail.com>
Date: Wed Jan 20 14:05:20 2010 -0600
Fix CVE-2009-4015, arbitrary command execution
File names were not properly escaped when passing them as arguments to
certain commands, allowing the execution of other commands as pipes or
as a set of shell commands.
diff --git a/checks/files b/checks/files
index efb9af5..e59b1bd 100644
--- a/checks/files
+++ b/checks/files
@@ -250,7 +250,7 @@ while (<IN>) {
# gzipped zero byte files:
# 276 is 255 bytes (maximal length for a filename) + gzip overhead
if ($file =~ m,.gz$, and $size <= 276 and $perm =~ m,^-,) {
- unless (`gzip -dc unpacked/$file`) {
+ unless (`gzip -dc \Qunpacked/$file\E`) {
tag "zero-byte-file-in-doc-directory", "$file";
}
}
diff --git a/checks/patch-systems b/checks/patch-systems
index f98f1d6..d5864ee 100644
--- a/checks/patch-systems
+++ b/checks/patch-systems
@@ -201,7 +201,7 @@ sub run {
# Checks on patches common to all build systems
sub check_patch($) {
my $patch_file = shift;
- open(DIFFSTAT, "-|", "diffstat -p0 -l debfiles/patches/$patch_file")
+ open(DIFFSTAT, "-|", 'diffstat', '-p0', '-l', "debfiles/patches/$patch_file")
or fail("can't fork diffstat");
while (<DIFFSTAT>) {
chomp;
diff --git a/collection/objdump-info b/collection/objdump-info
index 0e00763..40c47b7 100755
--- a/collection/objdump-info
+++ b/collection/objdump-info
@@ -54,20 +54,20 @@ while (<FILES>) {
print OUT "-- $bin\n";
- system("head $bin | grep -q 'packed.*with.*UPX'");
+ system("head \Q$bin\E | grep -q 'packed.*with.*UPX'");
print OUT "objdump: $bin: Packed with UPX" if $? == 0;
- if (open(PIPE, '-|', "readelf -l $bin 2>&1")) {
+ if (open(PIPE, '-|', "readelf -l \Q$bin\E 2>&1")) {
local $/;
local $_ = <PIPE>;
print OUT $_;
close PIPE;
}
- system("objdump -T $bin >/dev/null 2>&1");
+ system("objdump -T \Q$bin\E >/dev/null 2>&1");
if ($? == 0) {
# Seems happy so slurp the full output
- if (open(PIPE, '-|', "objdump --headers --private-headers -T $bin 2>&1")) {
+ if (open(PIPE, '-|', "objdump --headers --private-headers -T \Q$bin\E 2>&1")) {
local $/;
local $_ = <PIPE>;
print OUT $_;
@@ -86,7 +86,7 @@ while (<FILES>) {
# on detached debugging information in /usr/lib/debug.
$failed = 1;
- if (open(PIPE, '-|', "objdump --headers --private-headers -T $bin 2>&1")) {
+ if (open(PIPE, '-|', "objdump --headers --private-headers -T \Q$bin\E 2>&1")) {
while(<PIPE>) {
$failed = 0 if m/Invalid operation$/;
$failed = 0 if m/File format not recognized$/;
@@ -104,10 +104,10 @@ while (<FILES>) {
my @sections;
my @symbol_versions;
- if (system("readelf -l $bin 2>&1 | grep -q 'Error: Not an ELF file'") == 0) {
+ if (system("readelf -l \Q$bin\E 2>&1 | grep -q 'Error: Not an ELF file'") == 0) {
print OUT "objdump: $bin: File format not recognized\n";
next;
- } elsif (open(PIPE, '-|', "readelf -W -l -t -d -V $bin")) {
+ } elsif (open(PIPE, '-|', 'readelf', '-W', '-l', '-t', '-d', '-V', $bin)) {
my $section = '';
my %program_headers;
@@ -166,7 +166,7 @@ while (<FILES>) {
close PIPE;
}
- if (open(PIPE, '-|', "readelf -W -s -D $bin")) {
+ if (open(PIPE, '-|', 'readelf', '-W', '-s', '-D', $bin)) {
print OUT "DYNAMIC SYMBOL TABLE:\n";
while(<PIPE>) {
diff --git a/lib/Util.pm b/lib/Util.pm
index 225b59d..aaeffc0 100644
--- a/lib/Util.pm
+++ b/lib/Util.pm
@@ -199,7 +199,7 @@ sub file_is_encoded_in_non_utf8 {
my ($file, $type, $pkg) = @_;
my $non_utf8 = 0;
- open (ICONV, '-|', "env LANG=C iconv -f utf8 -t utf8 $file 2>&1")
+ open (ICONV, '-|', "env LANG=C iconv -f utf8 -t utf8 \Q$file\E 2>&1")
or fail("failure while checking encoding of $file for $type package $pkg");
my $line = 1;
while (<ICONV>) {
--
Debian package checker
Reply to: