[SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
From: "Niels Thykier" <niels@thykier.net>
Date: Tue, 16 Apr 2013 16:04:08 +0000
Message-id: <[🔎] E1US8Ma-000098-1W@vasks.debian.org>

The following commit has been merged in the wheezy branch:
commit 619936c38f547f2c95e8c697cf35a19d2cee9be0
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 22:31:11 2013 +0200

    L::C::Package: Check filenames for possible traversals
    
    Make _fetch_extracted_dir verify that input filename will not escape
    the "root" dir it is serving from.  Particularly, this protects checks
    that naively passes filenames to unpacked, debfiles or/and control.
    
    This check only catches poor input filenames; it cannot prevent the
    check from reading across an unsafe symlink.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/debian/changelog b/debian/changelog
index 5746cfc..066f978 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,11 @@ lintian (2.5.10.5) unstable; urgency=low
     + [NT] Skip collection if usr/share/doc/<pkg> is not contained
       within the package root.
 
+  * lib/Lintian/Collect/Package.pm:
+    + [NT] When a check requests access to a raw file (or dir) in the
+      package, ensure that the resulting path does not "escape" the
+      top level directory.  This should preemptively guard against some
+      (but not all) traversal attempts.
   * lib/Lintian/Util.pm:
     + [NT] Add sub to check if a path is contained within a given dir.
 
diff --git a/lib/Lintian/Collect/Package.pm b/lib/Lintian/Collect/Package.pm
index 6e879cd..9293a34 100644
--- a/lib/Lintian/Collect/Package.pm
+++ b/lib/Lintian/Collect/Package.pm
@@ -25,7 +25,7 @@ use base 'Lintian::Collect';
 
 use Carp qw(croak);
 use Lintian::Path;
-use Lintian::Util qw(open_gz perm2oct);
+use Lintian::Util qw(open_gz perm2oct resolve_pkg_path);
 
 # Returns the path to the dir where the package is unpacked
 #  or a file therein (see pod below)
@@ -94,6 +94,13 @@ sub _fetch_extracted_dir {
     }
     if ($file) {
         # strip leading ./ - if that leaves something, return the path there
+        if ($file =~ m{(?: ^|/ ) \.\. (?: /|$ )}xsm) {
+            # possible traversal - double check it and (if needed)
+            # stop it before it gets out of hand.
+            if (resolve_pkg_path('/', $file) eq '') {
+                croak qq{The path "$file" is not within the package root};
+            }
+        }
         $file =~ s,^\.?/*+,,go;
         return "$dir/$file" if $file;
     }
@@ -287,7 +294,7 @@ Returns the path to the directory in which the package has been
 unpacked.  If C<$name> is given, it will return the path to that
 specific file (or dir).  The method will strip any leading "./" and
 "/" from C<$name>, but it will not check if C<$name> actually exists
-nor will it check for path traversals.
+and it will only do a basic check for obvious path traversals.
 
 The path returned is not guaranteed to be inside the Lintian Lab as
 the package may have been unpacked outside the Lab (e.g. as

-- 
Debian package checker

Reply to:

Prev by Date: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
Next by Date: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
Previous by thread: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
Next by thread: [SCM] Debian package checker branch, wheezy, updated. 2.5.10.4-15-ge0dc594
Index(es):
- Date
- Thread