[SCM] Debian package checker branch, squeeze, updated. 2.4.3-3-g8a6f168

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-3-g8a6f168
From: "Niels Thykier" <niels@thykier.net>
Date: Sat, 10 Sep 2011 12:45:59 +0000
Message-id: <[🔎] E1R2MwZ-0005Mr-Ui@vasks.debian.org>

The following commit has been merged in the squeeze branch:
commit 9bcbd856565b71a926187e1357661ffe0a552967
Author: Niels Thykier <niels@thykier.net>
Date:   Wed Aug 17 15:30:33 2011 +0200

    Skip conffiles check if conffiles is a symlink
    
    No normal package uses a symlink in the control.tar.gz and in
    this case, the "extra" info for the tags can more or less get
    you a dump of an arbitrary file on the host file system.
    
    Conflicts:
    
    	checks/conffiles
    	debian/changelog

diff --git a/checks/conffiles b/checks/conffiles
index 7e43522..495a66b 100644
--- a/checks/conffiles
+++ b/checks/conffiles
@@ -31,7 +31,7 @@ my $type = shift;
 my $cf = "control/conffiles";
 
 # conffiles?
-unless (-f $cf) {
+unless (-f $cf && ! -l $cf) {
     return 0;
 }
 
diff --git a/checks/etcfiles b/checks/etcfiles
index bc61715..6b28da4 100644
--- a/checks/etcfiles
+++ b/checks/etcfiles
@@ -33,6 +33,8 @@ my %conffiles;
 
 my $conffiles = "control/conffiles";
 
+return if -l $conffiles;
+
 # load conffiles
 if (open(IN, '<', $conffiles)) {
     while (<IN>) {
diff --git a/debian/changelog b/debian/changelog
index 6ddc675..14136ea 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
 lintian (2.4.3+squeeze1) stable; urgency=low
 
+  * checks/{conffiles,etcfiles}:
+    + [NT] Skip all checks in conffiles is a symlink.
   * checks/debian-source-dir:
     + [NT] Fixed information disclosure issue, where Lintian could
       be tricked into disclosing the presence of files on the host
diff --git a/t/debs/fields-wildcard-binary/Makefile b/t/debs/control-files-traversal/Makefile
similarity index 51%
copy from t/debs/fields-wildcard-binary/Makefile
copy to t/debs/control-files-traversal/Makefile
index d232ffd..e265ab1 100644
--- a/t/debs/fields-wildcard-binary/Makefile
+++ b/t/debs/control-files-traversal/Makefile
@@ -1,18 +1,20 @@
-name = fields-wildcard-binary
+name = control-files-traversal
 
 all:
 	echo '2.0' > debian-binary
-	mkdir -p usr/share/doc/$(name)
-	cp copyright changelog usr/share/doc/$(name)
-	gzip -9 usr/share/doc/$(name)/changelog
+	install -m 0755 -d usr/share/doc/$(name)
+	install -m 0644 changelog copyright usr/share/doc/$(name)
+	gzip --best usr/share/doc/$(name)/changelog
+	md5sum usr/share/doc/$(name)/* > md5sums
+	# Create the traversal symlink - points to md5sums in the lab
+	ln -s ../md5sums conffiles
 	tar cfz data.tar.gz usr
 	chown 0:0 control
 	chmod 644 control
-	md5sum usr/share/doc/$(name)/* > md5sums
 	tar cfz control.tar.gz control md5sums
 	ar rc $(name).deb \
 	    debian-binary control.tar.gz data.tar.gz
 
 clean:
 	rm -f *.tar.gz *.deb md5sums debian-binary
-	rm -rf usr
+	rm -rf root/
diff --git a/t/debs/control-field-traversal-4/changelog b/t/debs/control-files-traversal/changelog
similarity index 100%
copy from t/debs/control-field-traversal-4/changelog
copy to t/debs/control-files-traversal/changelog
diff --git a/t/debs/deb-format-record-size/control b/t/debs/control-files-traversal/control
similarity index 78%
copy from t/debs/deb-format-record-size/control
copy to t/debs/control-files-traversal/control
index 7163fe9..fb1946d 100644
--- a/t/debs/deb-format-record-size/control
+++ b/t/debs/control-files-traversal/control
@@ -1,10 +1,10 @@
-Package: deb-format-record-size
+Package: control-files-traversal
 Version: 1.0
 Architecture: all
 Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
 Section: devel
 Priority: extra
-Description: Test package with a non-standard tar record size
+Description: Test for directory traversal issues via control files
  This is a test package designed to exercise some feature or tag of
  Lintian.  It is part of the Lintian test suite and may do very odd
  things.  It should not be installed like a regular package.  It may
diff --git a/t/debs/control-field-traversal-4/copyright b/t/debs/control-files-traversal/copyright
similarity index 100%
copy from t/debs/control-field-traversal-4/copyright
copy to t/debs/control-files-traversal/copyright
diff --git a/t/debs/deb-format-record-size/tags b/t/debs/control-files-traversal/tags
similarity index 100%
copy from t/debs/deb-format-record-size/tags
copy to t/debs/control-files-traversal/tags

-- 
Debian package checker

Reply to:

Follow-Ups:
- Re: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-3-g8a6f168
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: [SCM] Debian package checker branch, master, updated. 2.5.3-1-gd7e61ed
Next by Date: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-3-g8a6f168
Previous by thread: [SCM] Debian package checker branch, master, updated. 2.5.3-1-gd7e61ed
Next by thread: Re: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-3-g8a6f168
Index(es):
- Date
- Thread