[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095

The following commit has been merged in the master branch:
commit c0db1c0d4046a49ac452fd85f956d488e8caebe1
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 21:12:31 2013 +0200

    c/md5sums: Skip check if the md5sums file is a symlink
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/md5sums b/checks/md5sums
index 314336e..a16e571 100644
--- a/checks/md5sums
+++ b/checks/md5sums
@@ -34,6 +34,10 @@ my $control = $info->control('md5sums');
 my %control_entry;
 my %info_entry;
 
+# The md5sums file should not be a symlink.  If it is, the best
+# we can do is to leave it alone.
+return if -l $control;
+
 # Is there a md5sums control file?
 unless (-f $control) {
     # ignore if package contains no files
diff --git a/debian/changelog b/debian/changelog
index c31647d..aefea69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -108,6 +108,9 @@ lintian (2.5.12) UNRELEASED; urgency=low
       reporting.  (Closes: #698602)
   * checks/java{,.desc}:
     + [NT] Report possibly broken jar files.
+  * checks/md5sums:
+    + [NT] Fix path traversal issue that could leak information
+      about the host system.
   * checks/menu-format{,.desc}:
     + [NT] Apply patch from Bastien Roucariès to detect missing
       "Keywords" in desktop files.  Thanks to Jeremy Bicha for
diff --git a/t/debs/md5sums-traversal/Makefile b/t/debs/md5sums-traversal/Makefile
new file mode 100644
index 0000000..e04d984
--- /dev/null
+++ b/t/debs/md5sums-traversal/Makefile
@@ -0,0 +1,9 @@
+name = md5sums-traversal
+
+all:
+	ln -s ../copyright md5sums
+	create-deb -o $(name).deb control md5sums
+
+clean:
+	rm -f *.tar.gz *.deb md5sums debian-binary
+	rm -rf root/
diff --git a/t/debs/md5sums-traversal/desc b/t/debs/md5sums-traversal/desc
new file mode 100644
index 0000000..3d20a1a
--- /dev/null
+++ b/t/debs/md5sums-traversal/desc
@@ -0,0 +1,9 @@
+Testname: md5sums-traversal
+Sequence: 6000
+Version: 1.0
+Description: Test for traversals via md5sums symlink
+Options: -C copyright-file,md5sums,control-files -IE
+Test-For: control-file-is-not-a-file
+Test-Against:
+ file-missing-in-md5sums
+ malformed-md5sums-control-file
diff --git a/t/debs/md5sums-traversal/tags b/t/debs/md5sums-traversal/tags
new file mode 100644
index 0000000..b2ff081
--- /dev/null
+++ b/t/debs/md5sums-traversal/tags
@@ -0,0 +1 @@
+E: md5sums-traversal: control-file-is-not-a-file md5sums

-- 
Debian package checker
Reply to: