[SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
The following commit has been merged in the wheezy branch:
commit 3de00b847d8041250de5381a1ae1151ceec4fc0d
Author: Niels Thykier <niels@thykier.net>
Date: Fri Apr 5 10:08:19 2013 +0200
coll/changelog-file: Check usr/share/doc/<pkg> is safe
At the same time, stop looking at files in usr/doc/<pkg>.
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/collection/changelog-file b/collection/changelog-file
index ade55c1..567f6d2 100755
--- a/collection/changelog-file
+++ b/collection/changelog-file
@@ -23,7 +23,7 @@ use strict;
use warnings;
use lib "$ENV{'LINTIAN_ROOT'}/lib";
-use Lintian::Util qw(fail gunzip_file);
+use Lintian::Util qw(fail gunzip_file is_ancestor_of);
($#ARGV == 2) or fail('syntax: changelog-file <pkg> <type> <dir>');
my ($pkg, $type, $dir) = @ARGV;
@@ -31,6 +31,12 @@ my ($pkg, $type, $dir) = @ARGV;
unlink "$dir/changelog" or fail "cannot remove changelog file: $!"
if -e "$dir/changelog" or -l "$dir/changelog";
+# Extract NEWS.Debian files as well, with similar precautious. Ignore any
+# symlinks to other packages here; in that case, we just won't check the file.
+unlink "$dir/NEWS.Debian" or fail "cannot unlink NEWS.Debian: $!"
+ if -e "$dir/NEWS.Debian" or -l "$dir/NEWS.Debian";
+
+
# Pick the first of these files that exists.
my @changelogs = ("$dir/unpacked/usr/share/doc/$pkg/changelog.Debian.gz",
"$dir/unpacked/usr/share/doc/$pkg/changelog.Debian",
@@ -38,15 +44,17 @@ my @changelogs = ("$dir/unpacked/usr/share/doc/$pkg/changelog.Debian.gz",
"$dir/unpacked/usr/share/doc/$pkg/changelog.debian",
"$dir/unpacked/usr/share/doc/$pkg/changelog.gz",
"$dir/unpacked/usr/share/doc/$pkg/changelog",
- "$dir/unpacked/usr/doc/$pkg/changelog.Debian.gz",
- "$dir/unpacked/usr/doc/$pkg/changelog.Debian",
- "$dir/unpacked/usr/doc/$pkg/changelog.debian.gz",
- "$dir/unpacked/usr/doc/$pkg/changelog.debian",
- "$dir/unpacked/usr/doc/$pkg/changelog.gz",
- "$dir/unpacked/usr/doc/$pkg/changelog");
+ );
my $chl;
+if (-d "$dir/unpacked/usr/share/doc/$pkg"
+ && !is_ancestor_of("$dir/unpacked", "$dir/unpacked/usr/share/doc/$pkg")) {
+ # If the parent dir is outside this package, pretend we didn't find
+ # anything.
+ return;
+}
+
for (@changelogs) {
if (-l $_ || -f $_) {
$chl = $_;
@@ -110,10 +118,6 @@ if ($chl && $chl !~ m/changelog\.debian/i) {
unlink "$dir/changelog" unless $ok;
}
-# Extract NEWS.Debian files as well, with similar precautious. Ignore any
-# symlinks to other packages here; in that case, we just won't check the file.
-unlink "$dir/NEWS.Debian" or fail "cannot unlink NEWS.Debian: $!"
- if -e "$dir/NEWS.Debian" or -l "$dir/NEWS.Debian";
my $news = "$dir/unpacked/usr/share/doc/$pkg/NEWS.Debian.gz";
if (-f $news) {
if (-l $news) {
diff --git a/debian/changelog b/debian/changelog
index 126ffd2..3d04c2c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,10 +16,14 @@ lintian (2.5.10.5) unstable; urgency=low
+ [NT] Fix path traversal issue that could leak information
about the host system.
+ * collection/changelog-file:
+ + [NT] Ignore files in usr/doc/<pkg>.
+ + [NT] Skip collection if usr/share/doc/<pkg> is not contained
+ within the package root.
+
* lib/Lintian/Util.pm:
+ [NT] Add sub to check if a path is contained within a given dir.
-
-- Niels Thykier <niels@thykier.net> Fri, 05 Apr 2013 17:15:00 +0200
lintian (2.5.10.4) unstable; urgency=low
--
Debian package checker
Reply to: