[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594

The following commit has been merged in the wheezy branch:
commit be0a8fa76f78e6a4e51d427f4e3d1f5b2c1898c0
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 21:12:31 2013 +0200

    c/md5sums: Skip check if the md5sums file is a symlink
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/md5sums b/checks/md5sums
index b132bc5..2138ea5 100644
--- a/checks/md5sums
+++ b/checks/md5sums
@@ -50,6 +50,10 @@ if (-f $info->control('conffiles')) {
     close(C);
 }
 
+# The md5sums file should not be a symlink.  If it is, the best
+# we can do is to leave it alone.
+return if -l $control;
+
 # Is there a md5sums control file?
 unless (-f $control) {
     # ignore if package contains no files
diff --git a/debian/changelog b/debian/changelog
index afe35b3..67bded8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lintian (2.5.10.5) unstable; urgency=low
+
+  * checks/md5sums:
+    + [NT] Fix path traversal issue that could leak information
+      about the host system.
+
+ -- Niels Thykier <niels@thykier.net>  Fri, 05 Apr 2013 17:15:00 +0200
+
 lintian (2.5.10.4) unstable; urgency=low
 
   * checks/init.d:
diff --git a/t/debs/md5sums-traversal/Makefile b/t/debs/md5sums-traversal/Makefile
new file mode 100644
index 0000000..e04d984
--- /dev/null
+++ b/t/debs/md5sums-traversal/Makefile
@@ -0,0 +1,9 @@
+name = md5sums-traversal
+
+all:
+	ln -s ../copyright md5sums
+	create-deb -o $(name).deb control md5sums
+
+clean:
+	rm -f *.tar.gz *.deb md5sums debian-binary
+	rm -rf root/
diff --git a/t/debs/md5sums-traversal/desc b/t/debs/md5sums-traversal/desc
new file mode 100644
index 0000000..3d20a1a
--- /dev/null
+++ b/t/debs/md5sums-traversal/desc
@@ -0,0 +1,9 @@
+Testname: md5sums-traversal
+Sequence: 6000
+Version: 1.0
+Description: Test for traversals via md5sums symlink
+Options: -C copyright-file,md5sums,control-files -IE
+Test-For: control-file-is-not-a-file
+Test-Against:
+ file-missing-in-md5sums
+ malformed-md5sums-control-file
diff --git a/t/debs/md5sums-traversal/tags b/t/debs/md5sums-traversal/tags
new file mode 100644
index 0000000..b2ff081
--- /dev/null
+++ b/t/debs/md5sums-traversal/tags
@@ -0,0 +1 @@
+E: md5sums-traversal: control-file-is-not-a-file md5sums

-- 
Debian package checker
Reply to: