[SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095
From: "Niels Thykier" <niels@thykier.net>
Date: Tue, 16 Apr 2013 16:26:24 +0000
Message-id: <[🔎] E1US8i8-0001dx-0X@vasks.debian.org>

The following commit has been merged in the master branch:
commit 00810cb21b9ad4360a7983ecbc445d636b056c03
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 22:21:20 2013 +0200

    c/debconf: Check the sanity of the Binaries field
    
    Do a very strict check of the contents of the Binaries field, before
    using any of the "package names" listed in it as partial filenames.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/debconf b/checks/debconf
index ac9a118..c6bfb27 100644
--- a/checks/debconf
+++ b/checks/debconf
@@ -24,7 +24,7 @@ use warnings;
 
 use Lintian::Relation;
 use Lintian::Tags qw(tag);
-use Lintian::Util qw(fail read_dpkg_control :constants);
+use Lintian::Util qw(fail read_dpkg_control :constants $PKGNAME_REGEX);
 
 # From debconf-devel(7), section 'THE TEMPLATES FILE', up to date with debconf
 # version 1.5.24.  Added indices for cdebconf (indicates sort order for
@@ -69,7 +69,10 @@ my $usesmultiselect='';
 if ($type eq 'source') {
     my $binaries = $info->field('binary');
     # no binary field?  There is not much we can do about it here.
-    return 0 unless defined $binaries;
+    return unless defined $binaries;
+    # do not trust the contents of that field any further than we can
+    # throw it.
+    return unless $binaries =~ m{^$PKGNAME_REGEX (?:\s*+ , \s*+ $PKGNAME_REGEX)*+ $}xsm;
     chomp $binaries;
     my @files = map { "$_.templates" } split /,\s+/, $binaries;
     push @files, 'templates';
diff --git a/debian/changelog b/debian/changelog
index aefea69..9af3013 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -63,6 +63,9 @@ lintian (2.5.12) UNRELEASED; urgency=low
     + [NT] Correct description of an autotools tag.  Thanks
       to Alberto Garcia and Timo Juhani Lindfors for the
       report and patch.  (Closes: #703490)
+  * checks/debconf:
+    + [NT] Fix path traversal issue that could leak information
+      about the host system.
   * checks/debhelper{,.desc}:
     + [JW] Assume the proper python helpers are called if a
       (Makefile) variable is used.  (Closes: #659335)
diff --git a/t/source/control-field-traversal-2/Makefile b/t/source/debconf-traversal/Makefile
similarity index 71%
copy from t/source/control-field-traversal-2/Makefile
copy to t/source/debconf-traversal/Makefile
index fa137c1..fd20c3a 100644
--- a/t/source/control-field-traversal-2/Makefile
+++ b/t/source/debconf-traversal/Makefile
@@ -1,4 +1,4 @@
-name = control-field-traversal-2
+name = debconf-traversal
 dir  = $(name)-1
 
 all:
@@ -9,7 +9,8 @@ all:
 	mkdir $(dir)/debian/source
 	echo 1.0 > $(dir)/debian/source/format
 	tar cfz $(name)_1.tar.gz $(dir)
-	subst-dsc $(name)_1.tar.gz < dsc.in > $(name)_1.dsc
+	subst-dsc $(name)_1.tar.gz < dsc.in | \
+	     perl -pe 's/\@NULL\@/\0/g' > $(name)_1.dsc
 
 clean:
 	rm -rf $(dir)
diff --git a/t/source/debconf-traversal/desc b/t/source/debconf-traversal/desc
new file mode 100644
index 0000000..c8f67f9
--- /dev/null
+++ b/t/source/debconf-traversal/desc
@@ -0,0 +1,5 @@
+Testname: debconf-traversal
+Sequence: 6000
+Version: 1.0
+Description: Test for traversal issues via debconf templates
+Test-Against: syntax-error-in-debconf-template
diff --git a/t/source/fields-src-fields-filename/dsc.in b/t/source/debconf-traversal/dsc.in
similarity index 51%
copy from t/source/fields-src-fields-filename/dsc.in
copy to t/source/debconf-traversal/dsc.in
index 0853e86..7ebad27 100644
--- a/t/source/fields-src-fields-filename/dsc.in
+++ b/t/source/debconf-traversal/dsc.in
@@ -1,14 +1,14 @@
 Format: 1.0
-Source: some-other-name
-Binary: fields-src-fields-filename
+Source: debconf-traversal
+Binary: ../unpacked/debian/changelog@NULL@
 Architecture: all
 Version: 1
 Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
 Standards-Version: 3.9.4
 Build-Depends: debhelper (>= 7)
 Checksums-Sha1:
- @SHA1@ @SIZE@ some-other-name_1.tar.gz
+ @SHA1@ @SIZE@ debconf-traversal_1.tar.gz
 Checksums-Sha256:
- @SHA256@ @SIZE@ some-other-name_1.tar.gz
+ @SHA256@ @SIZE@ debconf-traversal_1.tar.gz
 Files:
- @MD5@ @SIZE@ some-other-name_1.tar.gz
+ @MD5@ @SIZE@ debconf-traversal_1.tar.gz
diff --git a/t/debs/deb-format-record-size/tags b/t/source/debconf-traversal/tags
similarity index 100%
copy from t/debs/deb-format-record-size/tags
copy to t/source/debconf-traversal/tags

-- 
Debian package checker

Reply to:

Prev by Date: [SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095
Next by Date: [SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095
Previous by thread: [SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095
Next by thread: [SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095
Index(es):
- Date
- Thread