[SCM] Debian package checker branch, master, updated. 2.3.1-26-g7928943
The following commit has been merged in the master branch:
commit 952b56c2b670a42bdb35608ee02e74593aa0d3d6
Author: Raphael Geissert <atomo64@gmail.com>
Date: Thu Jan 21 00:23:32 2010 -0600
Fix CVE-2009-4013, missing control files sanitation
Control field names and values were not sanitised before using them
in certain operations that could lead to directory traversals.
Patch systems' control files were not sanitised before using them
in certain operations that could lead to directory traversals.
An attacker could exploit these vulnerabilities to overwrite arbitrary
files or disclose system information.
diff --git a/checks/fields b/checks/fields
index a4cfecc..29e9f55 100644
--- a/checks/fields
+++ b/checks/fields
@@ -867,8 +867,15 @@ while (my ($vcs, $regex) = each %VCS_RECOMMENDED_URIS) {
#----- Field checks (without checking the value)
-for my $field (glob("fields/*")) {
- $field =~ s!^fields/!!;
+opendir(FIELDS, 'fields/')
+ or fail("cannot read fields/ directory: $!");
+
+for my $field (readdir FIELDS) {
+ next if ($field eq '.' || $field eq '..');
+
+ # The unpack scripts turn slashes into colons
+ # This is safe since a control field name can't contain colons
+ $field =~ s,:,/,g;
next if ($field eq 'original-maintainer') and $version =~ /ubuntu/;
@@ -884,6 +891,7 @@ for my $field (glob("fields/*")) {
tag "unknown-field-in-control", "$field"
if ($type eq "udeb" && ! $known_udeb_fields{$field} && ! $known_obsolete_fields{$field});
}
+closedir(FIELDS);
}
diff --git a/checks/patch-systems b/checks/patch-systems
index d91d358..da7a7f5 100644
--- a/checks/patch-systems
+++ b/checks/patch-systems
@@ -24,6 +24,7 @@ use strict;
use Lintian::Tags qw(tag);
use Util;
+use Cwd qw(realpath);
sub run {
my ($pkg, $type, $info) = @_;
@@ -45,6 +46,8 @@ sub run {
}
my $quilt_format = ($format =~ /3\.\d+ \(quilt\)/) ? 1 : 0;
+ my $cwd = realpath('.');
+
#----- dpatch
if ($build_deps->implies("dpatch")) {
$uses_patch_system++;
@@ -84,6 +87,10 @@ sub run {
foreach my $patch_file (@patches) {
$patch_file .= ".dpatch" if -e "debfiles/patches/$patch_file.dpatch"
and not -e "debfiles/patches/$patch_file";
+ next if ( -l "debfiles/patches/$patch_file" );
+ unless (realpath("debfiles/patches/$patch_file") =~ m,^\Q$cwd\E/debfiles/,) {
+ next;
+ }
if (! -r "debfiles/patches/$patch_file") {
tag "dpatch-index-references-non-existent-patch", $patch_file;
next;
@@ -137,6 +144,10 @@ sub run {
# Check each patch.
foreach my $patch_file (@patches) {
+ next if ( -l "debfiles/patches/$patch_file" );
+ unless (realpath("debfiles/patches/$patch_file") =~ m,^\Q$cwd\E/debfiles/,) {
+ next;
+ }
if (! -r "debfiles/patches/$patch_file") {
tag "quilt-series-references-non-existent-patch", $patch_file;
next;
diff --git a/collection/source-control-file b/collection/source-control-file
index c98d18b..8646232 100755
--- a/collection/source-control-file
+++ b/collection/source-control-file
@@ -44,10 +44,14 @@ foreach (@control_data) {
mkdir "control/$pkg_name", 0777
or fail( "can't create dir control/$pkg_name: $!" );
for my $field (keys %$_) {
+ my $value = $_->{$field};
+ # checks/fields will convert colons into slashes
+ $field =~ s,/,:,g;
+
my $field_file = "control/$pkg_name/$field";
open (F, '>', "$field_file")
or fail("cannot open file $field_file for writing: $!");
- print F $_->{$field},"\n";
+ print F $value,"\n";
close F;
}
}
diff --git a/frontend/lintian b/frontend/lintian
index ddf7d0e..9a9a392 100755
--- a/frontend/lintian
+++ b/frontend/lintian
@@ -849,6 +849,9 @@ while (my $arg = shift) {
next if $_ eq '';
my ($md5sum,$size,$section,$priority,$file) = split(/\s+/o, $_);
+
+ next if ($file =~ m,/,);
+
$files{$file}{md5} = $md5sum;
$files{$file}{size} = $size;
diff --git a/lib/Lintian/Schedule.pm b/lib/Lintian/Schedule.pm
index c117910..55244a6 100644
--- a/lib/Lintian/Schedule.pm
+++ b/lib/Lintian/Schedule.pm
@@ -53,6 +53,12 @@ sub add_file {
$ver = '' unless length $ver;
$arch ||= '';
+ if ( $pkg =~ m,/, ) {
+ warn(sprintf("warning: bad name for %2\$s package '%1\$s', skipping\n",
+ $pkg, $type eq 'b' ? 'binary' : ($type eq 's' ? 'source': 'udeb')));
+ return 1;
+ }
+
my $s = "$type $pkg $ver $arch $file";
my %h = ( type => $type, package => $pkg, version => $ver,
architecture => $arch, file => $file );
diff --git a/t/changes/changes-directory-traversal.changes b/t/changes/changes-directory-traversal.changes
new file mode 100644
index 0000000..caa36cd
--- /dev/null
+++ b/t/changes/changes-directory-traversal.changes
@@ -0,0 +1,14 @@
+Format: 1.8
+Date: Sat, 10 Jan 2009 10:50:38 -0800
+Source: changes-directory-traversal
+Binary: changes-directory-traversal
+Architecture: source all
+Version: 1.0
+Distribution: unstable
+Urgency: low
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Changed-By: Debian Lintian Maintainers <lintian-maint@debian.org>
+Description:
+ changes-directory-traversal - Test directory traversal when processing Files
+Files:
+ 12345678901234567890123456789012 123 admin optional ../foo-bar-moo
diff --git a/reporting/lintian-dummy.cfg b/t/changes/changes-directory-traversal.tags
similarity index 100%
copy from reporting/lintian-dummy.cfg
copy to t/changes/changes-directory-traversal.tags
diff --git a/t/debs/control-field-traversal-4/Makefile b/t/debs/control-field-traversal-4/Makefile
new file mode 100644
index 0000000..02942c4
--- /dev/null
+++ b/t/debs/control-field-traversal-4/Makefile
@@ -0,0 +1,27 @@
+name = control-field-traversal-4
+
+all:
+ echo '2.0' > debian-binary
+ mkdir -p usr/share/doc/
+ # create a symlink to (usr/share/doc/)dpkg which will make
+ # copyright-file warn that it can't check whether the symlink
+ # points to a foreign package if the directory traversal did
+ # not happen.
+ # If, on the other hand, warns that they don't belong to the
+ # same package, there's a directory traversal issue.
+ # This is because the 'binary/<pkg>/source' symlink in the
+ # laboratory will point to '../../source/../binary/<pkg>'
+ # if the bogus source package name is not catched. This results
+ # into a valid symlink which is enough for copyright-file to
+ # determine that 'source/dpkg' does not exist.
+ ln -s dpkg usr/share/doc/$(name)
+ tar cfz data.tar.gz usr
+ chown 0:0 control
+ chmod 644 control
+ tar cfz control.tar.gz control
+ ar rc $(name).deb \
+ debian-binary control.tar.gz data.tar.gz
+
+clean:
+ rm -f *.tar.gz *.tar.lzma *.deb md5sums debian-binary
+ rm -rf usr
diff --git a/t/debs/deb-format-lzma/changelog b/t/debs/control-field-traversal-4/changelog
similarity index 68%
copy from t/debs/deb-format-lzma/changelog
copy to t/debs/control-field-traversal-4/changelog
index 2fbdc04..1de8162 100644
--- a/t/debs/deb-format-lzma/changelog
+++ b/t/debs/control-field-traversal-4/changelog
@@ -1,4 +1,4 @@
-deb-format-lzma (1.0) unstable; urgency=low
+control-field-traversal-4 (1.0) unstable; urgency=low
* A Lintian test case.
diff --git a/t/debs/deb-format-ancient-file/control b/t/debs/control-field-traversal-4/control
similarity index 67%
copy from t/debs/deb-format-ancient-file/control
copy to t/debs/control-field-traversal-4/control
index 560622a..2f7cdea 100644
--- a/t/debs/deb-format-ancient-file/control
+++ b/t/debs/control-field-traversal-4/control
@@ -1,10 +1,11 @@
-Package: deb-format-ancient-file
+Package: control-field-traversal-4
Version: 1.0
Architecture: all
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Section: devel
Priority: extra
-Description: Test package containing an ancient file
+Source: ../binary/control-field-traversal-4
+Description: Test for directory traversal issues via field names or values
This is a test package designed to exercise some feature or tag of
Lintian. It is part of the Lintian test suite and may do very odd
things. It should not be installed like a regular package.
diff --git a/t/debs/deb-format-ancient-file/copyright b/t/debs/control-field-traversal-4/copyright
similarity index 100%
copy from t/debs/deb-format-ancient-file/copyright
copy to t/debs/control-field-traversal-4/copyright
diff --git a/t/debs/control-field-traversal-4/tags b/t/debs/control-field-traversal-4/tags
new file mode 100644
index 0000000..028ce28
--- /dev/null
+++ b/t/debs/control-field-traversal-4/tags
@@ -0,0 +1,2 @@
+E: control-field-traversal-4: source-field-malformed ../binary/control-field-traversal-4
+I: control-field-traversal-4: cannot-check-whether-usr-share-doc-symlink-points-to-foreign-package
diff --git a/t/source/control-file-missing-separator/Makefile b/t/source/control-field-traversal-1/Makefile
similarity index 95%
copy from t/source/control-file-missing-separator/Makefile
copy to t/source/control-field-traversal-1/Makefile
index 2c7dede..33ffa3f 100644
--- a/t/source/control-file-missing-separator/Makefile
+++ b/t/source/control-field-traversal-1/Makefile
@@ -1,4 +1,4 @@
-name = control-file-missing-separator
+name = control-field-traversal-1
dir = $(name)-1
all:
diff --git a/t/source/control-file-missing-separator/changelog b/t/source/control-field-traversal-1/changelog
similarity index 55%
copy from t/source/control-file-missing-separator/changelog
copy to t/source/control-field-traversal-1/changelog
index 85ee953..4a6253f 100644
--- a/t/source/control-file-missing-separator/changelog
+++ b/t/source/control-field-traversal-1/changelog
@@ -1,10 +1,8 @@
-control-file-missing-separator (1) unstable; urgency=low
+control-field-traversal-1 (1) unstable; urgency=low
* Lintian Test Suite.
- * Test: control-file-missing-separator
+ * Test: control-field-traversal-1
* Suppress "should close ITP bug" messages. (Closes: #123456)
- -- Debian Lintian Maintainers <lintian-maint@debian.org> Tue, 21 Jul 2009 12:47:16 -0700
-
-
+ -- Debian Lintian Maintainers <lintian-maint@debian.org> Tue, 5 Jan 2010 01:01:01 -0001
diff --git a/t/tests/cruft-empty-diff/debian/debian/control b/t/source/control-field-traversal-1/control
similarity index 66%
copy from t/tests/cruft-empty-diff/debian/debian/control
copy to t/source/control-field-traversal-1/control
index b7becb7..4dd12f1 100644
--- a/t/tests/cruft-empty-diff/debian/debian/control
+++ b/t/source/control-field-traversal-1/control
@@ -1,14 +1,14 @@
-Source: cruft-empty-diff
-Priority: extra
+Source: control-field-traversal-1
Section: devel
+Priority: optional
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
-Standards-Version: 3.8.0
Build-Depends: debhelper (>= 7)
+Standards-Version: 3.8.3
-Package: cruft-empty-diff
+Package: control-field-traversal-1
Architecture: all
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Test an empty Debian diff
+Description: Test for directory traversal issues via field names or values
This is a test package designed to exercise some feature or tag of
Lintian. It is part of the Lintian test suite and may do very odd
things. It should not be installed like a regular package.
diff --git a/t/source/control-file-missing-separator/copyright b/t/source/control-field-traversal-1/copyright
similarity index 100%
copy from t/source/control-file-missing-separator/copyright
copy to t/source/control-field-traversal-1/copyright
diff --git a/t/source/control-field-traversal-1/dsc.in b/t/source/control-field-traversal-1/dsc.in
new file mode 100644
index 0000000..d3bcb1a
--- /dev/null
+++ b/t/source/control-field-traversal-1/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: ../control-field-traversal-1
+Binary: control-field-traversal-1
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: 3.8.3
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ control-field-traversal-1_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ control-field-traversal-1_1.tar.gz
+Files:
+ @MD5@ @SIZE@ control-field-traversal-1_1.tar.gz
diff --git a/t/source/control-file-missing-separator/rules b/t/source/control-field-traversal-1/rules
similarity index 100%
copy from t/source/control-file-missing-separator/rules
copy to t/source/control-field-traversal-1/rules
diff --git a/t/source/control-field-traversal-1/tags b/t/source/control-field-traversal-1/tags
new file mode 100644
index 0000000..7c5a83b
--- /dev/null
+++ b/t/source/control-field-traversal-1/tags
@@ -0,0 +1 @@
+warning: bad name for source package '../control-field-traversal-1', skipping
diff --git a/t/source/control-file-missing-separator/Makefile b/t/source/control-field-traversal-2/Makefile
similarity index 95%
copy from t/source/control-file-missing-separator/Makefile
copy to t/source/control-field-traversal-2/Makefile
index 2c7dede..9535ca3 100644
--- a/t/source/control-file-missing-separator/Makefile
+++ b/t/source/control-field-traversal-2/Makefile
@@ -1,4 +1,4 @@
-name = control-file-missing-separator
+name = control-field-traversal-2
dir = $(name)-1
all:
diff --git a/t/source/control-file-missing-separator/changelog b/t/source/control-field-traversal-2/changelog
similarity index 55%
copy from t/source/control-file-missing-separator/changelog
copy to t/source/control-field-traversal-2/changelog
index 85ee953..d718ff5 100644
--- a/t/source/control-file-missing-separator/changelog
+++ b/t/source/control-field-traversal-2/changelog
@@ -1,10 +1,8 @@
-control-file-missing-separator (1) unstable; urgency=low
+control-field-traversal-2 (1) unstable; urgency=low
* Lintian Test Suite.
- * Test: control-file-missing-separator
+ * Test: control-field-traversal-2
* Suppress "should close ITP bug" messages. (Closes: #123456)
- -- Debian Lintian Maintainers <lintian-maint@debian.org> Tue, 21 Jul 2009 12:47:16 -0700
-
-
+ -- Debian Lintian Maintainers <lintian-maint@debian.org> Tue, 5 Jan 2010 01:01:01 -0001
diff --git a/t/tests/cruft-empty-diff/debian/debian/control b/t/source/control-field-traversal-2/control
similarity index 66%
copy from t/tests/cruft-empty-diff/debian/debian/control
copy to t/source/control-field-traversal-2/control
index b7becb7..ae99d81 100644
--- a/t/tests/cruft-empty-diff/debian/debian/control
+++ b/t/source/control-field-traversal-2/control
@@ -1,14 +1,14 @@
-Source: cruft-empty-diff
-Priority: extra
+Source: control-field-traversal-2
Section: devel
+Priority: optional
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
-Standards-Version: 3.8.0
Build-Depends: debhelper (>= 7)
+Standards-Version: 3.8.3
-Package: cruft-empty-diff
+Package: control-field-traversal-2
Architecture: all
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Test an empty Debian diff
+Description: Test for directory traversal issues via field names or values
This is a test package designed to exercise some feature or tag of
Lintian. It is part of the Lintian test suite and may do very odd
things. It should not be installed like a regular package.
diff --git a/t/source/control-file-missing-separator/copyright b/t/source/control-field-traversal-2/copyright
similarity index 100%
copy from t/source/control-file-missing-separator/copyright
copy to t/source/control-field-traversal-2/copyright
diff --git a/t/source/control-field-traversal-2/dsc.in b/t/source/control-field-traversal-2/dsc.in
new file mode 100644
index 0000000..fb3449c
--- /dev/null
+++ b/t/source/control-field-traversal-2/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: control-field-traversal-2
+Binary: ../../control-field-traversal-2
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: 3.8.3
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ control-field-traversal-2_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ control-field-traversal-2_1.tar.gz
+Files:
+ @MD5@ @SIZE@ control-field-traversal-2_1.tar.gz
diff --git a/t/source/control-file-missing-separator/rules b/t/source/control-field-traversal-2/rules
similarity index 100%
copy from t/source/control-file-missing-separator/rules
copy to t/source/control-field-traversal-2/rules
diff --git a/t/debs/deb-format-record-size/tags b/t/source/control-field-traversal-2/tags
similarity index 100%
copy from t/debs/deb-format-record-size/tags
copy to t/source/control-field-traversal-2/tags
diff --git a/t/source/control-file-missing-separator/Makefile b/t/source/control-field-traversal-3/Makefile
similarity index 95%
copy from t/source/control-file-missing-separator/Makefile
copy to t/source/control-field-traversal-3/Makefile
index 2c7dede..d477a23 100644
--- a/t/source/control-file-missing-separator/Makefile
+++ b/t/source/control-field-traversal-3/Makefile
@@ -1,4 +1,4 @@
-name = control-file-missing-separator
+name = control-field-traversal-3
dir = $(name)-1
all:
diff --git a/t/source/control-file-missing-separator/changelog b/t/source/control-field-traversal-3/changelog
similarity index 55%
copy from t/source/control-file-missing-separator/changelog
copy to t/source/control-field-traversal-3/changelog
index 85ee953..d3c296c 100644
--- a/t/source/control-file-missing-separator/changelog
+++ b/t/source/control-field-traversal-3/changelog
@@ -1,10 +1,8 @@
-control-file-missing-separator (1) unstable; urgency=low
+control-field-traversal-3 (1) unstable; urgency=low
* Lintian Test Suite.
- * Test: control-file-missing-separator
+ * Test: control-field-traversal-3
* Suppress "should close ITP bug" messages. (Closes: #123456)
- -- Debian Lintian Maintainers <lintian-maint@debian.org> Tue, 21 Jul 2009 12:47:16 -0700
-
-
+ -- Debian Lintian Maintainers <lintian-maint@debian.org> Tue, 5 Jan 2010 01:01:01 -0001
diff --git a/t/tests/cruft-empty-diff/debian/debian/control b/t/source/control-field-traversal-3/control
similarity index 66%
copy from t/tests/cruft-empty-diff/debian/debian/control
copy to t/source/control-field-traversal-3/control
index b7becb7..ddcddb3 100644
--- a/t/tests/cruft-empty-diff/debian/debian/control
+++ b/t/source/control-field-traversal-3/control
@@ -1,14 +1,14 @@
-Source: cruft-empty-diff
-Priority: extra
+Source: control-field-traversal-3
Section: devel
+Priority: optional
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
-Standards-Version: 3.8.0
Build-Depends: debhelper (>= 7)
+Standards-Version: 3.8.3
-Package: cruft-empty-diff
+Package: control-field-traversal-3
Architecture: all
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Test an empty Debian diff
+Description: Test for directory traversal issues via field names or values
This is a test package designed to exercise some feature or tag of
Lintian. It is part of the Lintian test suite and may do very odd
things. It should not be installed like a regular package.
diff --git a/t/source/control-file-missing-separator/copyright b/t/source/control-field-traversal-3/copyright
similarity index 100%
copy from t/source/control-file-missing-separator/copyright
copy to t/source/control-field-traversal-3/copyright
diff --git a/t/source/control-field-traversal-3/dsc.in b/t/source/control-field-traversal-3/dsc.in
new file mode 100644
index 0000000..a89744b
--- /dev/null
+++ b/t/source/control-field-traversal-3/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: ../control-field-traversal-3
+Binary: control-field-traversal-3
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: 3.8.3
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ control-field-traversal-3_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ control-field-traversal-3_1.tar.gz
+Files:
+ @MD5@ @SIZE@ ../control-field-traversal-3_1.tar.gz
diff --git a/t/source/control-file-missing-separator/rules b/t/source/control-field-traversal-3/rules
similarity index 100%
copy from t/source/control-file-missing-separator/rules
copy to t/source/control-field-traversal-3/rules
diff --git a/t/source/control-field-traversal-3/tags b/t/source/control-field-traversal-3/tags
new file mode 100644
index 0000000..0b25d9a
--- /dev/null
+++ b/t/source/control-field-traversal-3/tags
@@ -0,0 +1 @@
+warning: bad name for source package '../control-field-traversal-3', skipping
diff --git a/t/tests/patch-systems-quilt-general/debian/debian/patches/series b/t/tests/patch-systems-quilt-general/debian/debian/patches/series
index 8be8c70..edea10a 100644
--- a/t/tests/patch-systems-quilt-general/debian/debian/patches/series
+++ b/t/tests/patch-systems-quilt-general/debian/debian/patches/series
@@ -1,3 +1,6 @@
some-file
some-other-file -p0
some-nonexistent-patch
+# this is to test for directory traversals
+# 'debian-patch' is a file in the laboratory
+../../debian-patch
diff --git a/t/templates/skel/debian/control.in b/t/tests/unpack-slashes-in-control-field-name/debian/debian/control.in
similarity index 94%
copy from t/templates/skel/debian/control.in
copy to t/tests/unpack-slashes-in-control-field-name/debian/debian/control.in
index fc7a0e1..78b0fc9 100644
--- a/t/templates/skel/debian/control.in
+++ b/t/tests/unpack-slashes-in-control-field-name/debian/debian/control.in
@@ -4,10 +4,12 @@ Section: {$section}
Maintainer: {$author}
Standards-Version: {$standards_version}
Build-Depends: debhelper (>= 7.0.50~)
+XS-../foo: bar
Package: {$srcpkg}
Architecture: {$architecture}
Depends: $\{shlibs:Depends\}, $\{misc:Depends\}
+XB-../bar: moo
Description: {$description}
This is a test package designed to exercise some feature or tag of
Lintian. It is part of the Lintian test suite and may do very odd
diff --git a/t/tests/unpack-slashes-in-control-field-name/desc b/t/tests/unpack-slashes-in-control-field-name/desc
new file mode 100644
index 0000000..1cfc3b6
--- /dev/null
+++ b/t/tests/unpack-slashes-in-control-field-name/desc
@@ -0,0 +1,4 @@
+Testname: unpack-slashes-in-control-field-name
+Sequence: 3500
+Version: 1.0
+Description: A test package with slashes in a control field name
diff --git a/t/tests/unpack-slashes-in-control-field-name/tags b/t/tests/unpack-slashes-in-control-field-name/tags
new file mode 100644
index 0000000..8bdbf80
--- /dev/null
+++ b/t/tests/unpack-slashes-in-control-field-name/tags
@@ -0,0 +1,2 @@
+I: unpack-slashes-in-control-field-name: unknown-field-in-control ../bar
+W: unpack-slashes-in-control-field-name source: unknown-field-in-dsc ../foo
diff --git a/unpack/unpack-binpkg-l1 b/unpack/unpack-binpkg-l1
index d32b9e2..7123481 100755
--- a/unpack/unpack-binpkg-l1
+++ b/unpack/unpack-binpkg-l1
@@ -109,16 +109,22 @@ $data->{'source'} or ($data->{'source'} = $data->{'package'});
# create control field files
for my $field (keys %$data) {
+ my $value = $data->{$field};
+ # checks/fields will convert colons into slashes
+ $field =~ s,/,:,g;
my $field_file = "$base_dir/fields/$field";
open(F, '>', $field_file) or fail("cannot open file $field_file for writing: $!");
- print F $data->{$field},"\n";
+ print F $value,"\n";
close(F);
}
# create symlink to source package
$data->{'source'} =~ s/\s*\(.*\)\s*$//;
-symlink("../../source/$data->{'source'}","$base_dir/source")
- or fail("symlink: $!");
+# but only create it if it doesn't traverse directories
+if ($data->{'source'} !~ m,/,) {
+ symlink("../../source/$data->{'source'}","$base_dir/source")
+ or fail("symlink: $!");
+}
reap(@jobs);
undef @jobs;
diff --git a/unpack/unpack-srcpkg-l1 b/unpack/unpack-srcpkg-l1
index b70f9ce..49501b2 100755
--- a/unpack/unpack-srcpkg-l1
+++ b/unpack/unpack-srcpkg-l1
@@ -52,10 +52,13 @@ mkdir("$base_dir/fields", 0777) or fail("mkdir $base_dir/fields: $!");
# create control field files
for my $field (keys %$data) {
+ my $value = $data->{$field};
+ # checks/fields will convert colons into slashes
+ $field =~ s,/,:,g;
my $field_file = "$base_dir/fields/$field";
open(F, '>', $field_file)
or fail("cannot open file $field_file for writing: $!");
- print F $data->{$field},"\n";
+ print F $value,"\n";
close(F);
}
@@ -75,6 +78,7 @@ for my $fs (split(/\n/,$data->{'files'})) {
$fs =~ s/^\s*//;
next if $fs =~ /^$/o;
my @t = split(/\s+/o,$fs);
+ next if ($t[2] =~ m,/,);
if ($t[2] =~ /^(\Q$base\E\.orig|\Q$baserev\E)\.tar\.(gz|bz2|lzma)$/) {
$tarball = $t[2];
}
@@ -162,6 +166,7 @@ spawn($job, sub { print @index }, '|', ['sort', '-k', '6'], '&');
# Create symbolic links to binary packages
mkdir("$base_dir/binary", 0777) or fail("mkdir $base_dir/binary: $!");
for my $bin (split(/,\s+/o,$data->{'binary'})) {
+ next if ($bin =~ m,/,);
symlink("../../../binary/$bin", "$base_dir/binary/$bin")
or fail("cannot symlink binary package $bin: $!");
}
--
Debian package checker
Reply to: