[SCM] Debian package checker branch, master, updated. 2.5.11-233-g6aa20a6
The following commit has been merged in the master branch:
commit 6aa20a6cb8e71ae0f1932328396e37efc63114d9
Author: Niels Thykier <niels@thykier.net>
Date: Tue Apr 9 15:03:00 2013 +0200
lintian: Back out of loading checks from $HOME and /etc
aptdaemon uses Lintian to do a minimal check of packages before
installing them. It is possible that loading checks from $HOME and
/etc by default could lead to (local user) privilege escalation.
The upstream of aptdaemon has been notified of the coming changes[1],
but they might not be the only ones to use Lintian in a situation like
this. So only allow "non-code" files to be loaded from $HOME and /etc
by default for now. Where needed/desired, it is still possible to use
--include-dir to "promote" these directories.
[1] https://bugs.launchpad.net/aptdaemon/+bug/1162947
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/doc/lintian.xml b/doc/lintian.xml
index a3e23d4..e8bff48 100644
--- a/doc/lintian.xml
+++ b/doc/lintian.xml
@@ -1193,7 +1193,10 @@ foo [!any-i386] binary: some-tag-not-for-i386 optional-extra
directories (in order):
</para>
<itemizedlist>
- <listitem>
+ <!-- FIXME: re-add this when aptdaemon (etc.) is ready for it
+ LP: #1162947
+ -->
+ <!--listitem>
<para>
<filename>$HOME/.lintian/checks</filename>
</para>
@@ -1202,7 +1205,7 @@ foo [!any-i386] binary: some-tag-not-for-i386 optional-extra
<para>
<filename>/etc/lintian/checks</filename>
</para>
- </listitem>
+ </listitem-->
<listitem>
<para>
<filename>$LINTIAN_ROOT/checks</filename>
diff --git a/frontend/lintian b/frontend/lintian
index 7b84493..eac142d 100755
--- a/frontend/lintian
+++ b/frontend/lintian
@@ -94,6 +94,7 @@ my %opt = ( #hash of some flags from cmd or cfg
# The LINTIAN_ROOT will be appended last and the user dirs will be
# pre-appended (depending --[no-]user-dirs).
my @search_dirs;
+my @restricted_search_dirs;
my $experimental_output_opts = undef;
@@ -584,11 +585,11 @@ $ENV{'LINTIAN_ROOT'} = $opt{'LINTIAN_ROOT'};
if ($opt{'user-dirs'} and not $ENV{'LINTIAN_INTERNAL_TESTSUITE'}){
# Pre-append the user part of the search dirs.
- unshift @search_dirs, '/etc/lintian';
+ unshift @restricted_search_dirs, '/etc/lintian';
# In some (rare) cases, $ENV{HOME} will not be available.
# - Handle that gracefully by not emitting "Uninitialized ...".
- unshift @search_dirs, "$ENV{HOME}/.lintian" if defined $ENV{HOME};
+ unshift @restricted_search_dirs, "$ENV{HOME}/.lintian" if defined $ENV{HOME};
}
push @search_dirs, $opt{'LINTIAN_ROOT'};
@@ -832,7 +833,9 @@ $TAGS->show_overrides($opt{'show-overrides'});
$TAGS->sources(keys %display_source) if %display_source;
$PROFILE = Lintian::Profile->new ($opt{'LINTIAN_PROFILE'},
- \@search_dirs);
+ \@search_dirs,
+ { 'restricted-search-dirs' => \@restricted_search_dirs },
+);
# Ensure $opt{'LINTIAN_PROFILE'} is defined
$opt{'LINTIAN_PROFILE'} = $PROFILE->name unless defined $opt{'LINTIAN_PROFILE'};
v_msg('Using profile ' . $PROFILE->name . '.');
diff --git a/lib/Lintian/Profile.pm b/lib/Lintian/Profile.pm
index c9945aa..5183f0e 100644
--- a/lib/Lintian/Profile.pm
+++ b/lib/Lintian/Profile.pm
@@ -82,7 +82,7 @@ my %SEC_FIELDS = (
'severity' => 1,
);
-=item Lintian::Profile->new ([$profname[, $ipath]])
+=item Lintian::Profile->new ([$profname[, $ipath[, $extra]]])
Creates a new profile from the profile. $profname is the name of the
profile and $ipath is a list reference containing containing the path
@@ -96,13 +96,29 @@ If $ipath is not given, a default one will be used.
=cut
sub new {
- my ($type, $name, $ipath) = @_;
+ my ($type, $name, $ipath, $extra) = @_;
my $profile;
- $ipath = [_default_inc_path ()] unless $ipath;
+ my @full_inc_path;
+ if (!defined $ipath) {
+ # Temporary fix (see _safe_include_path)
+ @full_inc_path = [_default_inc_path ()] unless $ipath;
+ if (defined $ENV{'LINTIAN_ROOT'}) {
+ $ipath = [$ENV{'LINTIAN_ROOT'}];
+ } else {
+ $ipath = ['/usr/share/lintian'];
+ }
+ }
+
+ if (defined $extra and exists $extra->{'restricted-search-dirs'}) {
+ @full_inc_path = @{ $extra->{'restricted-search-dirs'} };
+ }
+ push @full_inc_path, @$ipath;
+
my $self = {
'parent-map' => {},
'profile_list' => [],
- 'include-path' => $ipath,
+ 'include-path' => \@full_inc_path,
+ 'safe-include-path' => $ipath,
'enabled-tags' => {}, # "set" of tags enabled (value is largely ignored)
'enabled-checks' => {}, # maps script to the number of tags enabled (0 if disabled)
'non-overridable-tags' => {},
@@ -279,6 +295,17 @@ sub include_path {
return map { "$_/$path" } @{ $self->{'include-path'} };
}
+# Temporary until aptdaemon (etc.) has been upgraded to handle
+# Lintian loading code from user dirs.
+# LP: #1162947
+sub _safe_include_path {
+ my ($self, $path) = @_;
+ unless (defined $path) {
+ return @{ $self->{'safe-include-path'} };
+ }
+ return map { "$_/$path" } @{ $self->{'safe-include-path'} };
+}
+
# $prof->_find_profile ($pname)
#
# Finds a profile called $pname in the search directories and returns
@@ -510,7 +537,7 @@ sub _check_for_invalid_fields {
sub _load_check {
my ($self, $profile, $check) = @_;
my $dir = undef;
- foreach my $checkdir ($self->include_path ('checks')) {
+ foreach my $checkdir ($self->_safe_include_path('checks')) {
my $cf = "$checkdir/${check}.desc";
if ( -f $cf ) {
$dir = $checkdir;
@@ -552,7 +579,7 @@ sub _parse_check {
sub _load_checks {
my ($self) = @_;
- foreach my $checkdir ($self->include_path ('checks')) {
+ foreach my $checkdir ($self->_safe_include_path('checks')) {
next unless -d $checkdir;
opendir(my $dirfd, $checkdir);
for my $desc (sort readdir $dirfd) {
diff --git a/man/lintian.pod.in b/man/lintian.pod.in
index eb4de6b..6ff04a6 100644
--- a/man/lintian.pod.in
+++ b/man/lintian.pod.in
@@ -409,9 +409,8 @@ Note it does I<not> cause B<lintian> to ignore the entire environment
like I<TMPDIR> or I<DEB_VENDOR>. The latter can affect the default
profile (or "{VENDOR}" token for B<--profile>).
-Should usually be combined with B<--no-user-dirs> (or unsetting
-$HOME). Otherwise, users can work around this option by shadowing the
-checks or libraries in their I<$HOME/.lintian>.
+Should usually be combined with B<--no-user-dirs> (or unsetting $HOME
+and all I<XDG_> variables).
=item B<--include-dir> dir
@@ -473,7 +472,7 @@ These option can appear multiple times, in which case the last of them
to appear determines the result.
Note that if the intention is only to disable the user's I<$HOME>,
-then unsetting $HOME and $XDG_CONFIG_HOME may suffice. Alternatively,
+then unsetting I<$HOME> and I<XDG_*_HOME> may suffice. Alternatively,
I</etc> can be "re-added" by using I<--include-dir> (caveat:
I</etc/lintianrc> will be ignored by this).
@@ -481,6 +480,10 @@ If the intention is to avoid (unintentional) side-effects from the
calling user, then this option could be combined with
B<--ignore-lintian-env>.
+If for some reason B<--no-user-dirs> cannot be used, then consider
+unsetting I<$HOME> and all the I<$XDG_*> variables (not just the
+I<$XDG_*_HOME> ones).
+
=back
Package selection options:
--
Debian package checker
Reply to: