[SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
The following commit has been merged in the wheezy branch:
commit 75fbe5b903a16f3e187caf3f69be5a043888dd44
Author: Niels Thykier <niels@thykier.net>
Date: Thu Apr 4 22:21:20 2013 +0200
c/debconf: Check the sanity of the Binaries field
Do a very strict check of the contents of the Binaries field, before
using any of the "package names" listed in it as partial filenames.
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/debconf b/checks/debconf
index 6829a3e..fcd999a 100644
--- a/checks/debconf
+++ b/checks/debconf
@@ -22,6 +22,7 @@ package Lintian::debconf;
use strict;
use warnings;
+use Lintian::Check qw($PKGNAME_REGEX);
use Lintian::Relation;
use Lintian::Tags qw(tag);
use Lintian::Util qw(fail read_dpkg_control :constants);
@@ -71,7 +72,10 @@ my $usesmultiselect='';
if ($type eq 'source') {
my $binaries = $info->field('binary');
# no binary field? There is not much we can do about it here.
- return 0 unless defined $binaries;
+ return unless defined $binaries;
+ # do not trust the contents of that field any further than we can
+ # throw it.
+ return unless $binaries =~ m{^$PKGNAME_REGEX (?:\s*+ , \s*+ $PKGNAME_REGEX)*+ $}xsm;
chomp $binaries;
my @files = map { "$_.templates" } split /,\s+/, $binaries;
push @files, 'templates';
diff --git a/debian/changelog b/debian/changelog
index 67bded8..4933ddc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
lintian (2.5.10.5) unstable; urgency=low
+ * checks/debconf:
+ + [NT] Fix path traversal issue that could leak information
+ about the host system.
* checks/md5sums:
+ [NT] Fix path traversal issue that could leak information
about the host system.
diff --git a/t/source/control-field-traversal-2/Makefile b/t/source/debconf-traversal/Makefile
similarity index 92%
copy from t/source/control-field-traversal-2/Makefile
copy to t/source/debconf-traversal/Makefile
index 0c3c570..256641e 100644
--- a/t/source/control-field-traversal-2/Makefile
+++ b/t/source/debconf-traversal/Makefile
@@ -1,4 +1,4 @@
-name = control-field-traversal-2
+name = debconf-traversal
dir = $(name)-1
all:
@@ -17,6 +17,7 @@ all:
perl -I$(LINTIAN_ROOT)/lib -MLintian::Util -i -pe \
'BEGIN { $$h = get_file_checksum("md5", "$(name)_1.tar.gz") } s/\@MD5\@/$$h/g' $(name)_1.dsc
perl -i -pe 'BEGIN { $$s = (stat "$(name)_1.tar.gz")[7] } s/\@SIZE\@/$$s/g' $(name)_1.dsc
+ perl -i -pe 's/\@NULL\@/\0/g' $(name)_1.dsc
clean:
rm -rf $(dir)
diff --git a/t/source/debconf-traversal/desc b/t/source/debconf-traversal/desc
new file mode 100644
index 0000000..c8f67f9
--- /dev/null
+++ b/t/source/debconf-traversal/desc
@@ -0,0 +1,5 @@
+Testname: debconf-traversal
+Sequence: 6000
+Version: 1.0
+Description: Test for traversal issues via debconf templates
+Test-Against: syntax-error-in-debconf-template
diff --git a/t/source/debian-symlink/dsc.in b/t/source/debconf-traversal/dsc.in
similarity index 51%
copy from t/source/debian-symlink/dsc.in
copy to t/source/debconf-traversal/dsc.in
index bed0d90..7ebad27 100644
--- a/t/source/debian-symlink/dsc.in
+++ b/t/source/debconf-traversal/dsc.in
@@ -1,14 +1,14 @@
Format: 1.0
-Source: debian-symlink
-Binary: debian-symlink
+Source: debconf-traversal
+Binary: ../unpacked/debian/changelog@NULL@
Architecture: all
Version: 1
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Standards-Version: 3.9.4
Build-Depends: debhelper (>= 7)
Checksums-Sha1:
- @SHA1@ @SIZE@ debian-symlink_1.tar.gz
+ @SHA1@ @SIZE@ debconf-traversal_1.tar.gz
Checksums-Sha256:
- @SHA256@ @SIZE@ debian-symlink_1.tar.gz
+ @SHA256@ @SIZE@ debconf-traversal_1.tar.gz
Files:
- @MD5@ @SIZE@ debian-symlink_1.tar.gz
+ @MD5@ @SIZE@ debconf-traversal_1.tar.gz
diff --git a/t/debs/deb-format-record-size/tags b/t/source/debconf-traversal/tags
similarity index 100%
copy from t/debs/deb-format-record-size/tags
copy to t/source/debconf-traversal/tags
--
Debian package checker
Reply to: