[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SCM] Debian package checker branch, master, updated. 2.5.11-269-g4fa9095

The following commit has been merged in the master branch:
commit 7d487929e405dc44a501548c0b248027c7e3f75f
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 22:31:11 2013 +0200

    L::C::Package: Check filenames for possible traversals
    
    Make _fetch_extracted_dir verify that input filename will not escape
    the "root" dir it is serving from.  Particularly, this protects checks
    that naively passes filenames to unpacked, debfiles or/and control.
    
    This check only catches poor input filenames; it cannot prevent the
    check from reading across an unsafe symlink.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/debian/changelog b/debian/changelog
index bee0c39..5b67cf1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -275,6 +275,10 @@ lintian (2.5.12) UNRELEASED; urgency=low
       (Closes: #695866)
     + [NT] Add warning to unpacked and debfiles when they are given a
       path with leading slash or dot-slash.
+    + [NT] When a check requests access to a raw file (or dir) in the
+      package, ensure that the resulting path does not "escape" the
+      top level directory.  This should preemptively guard against some
+      (but not all) traversal attempts.
   * lib/Lintian/Command/Simple.pm:
     + [NT] Use constant time lookup access instead of linear scan with
       "hashref" wait.
diff --git a/lib/Lintian/Collect/Package.pm b/lib/Lintian/Collect/Package.pm
index 6d2c0c4..1c6bb17 100644
--- a/lib/Lintian/Collect/Package.pm
+++ b/lib/Lintian/Collect/Package.pm
@@ -25,7 +25,7 @@ use parent 'Lintian::Collect';
 
 use Carp qw(croak);
 use Lintian::Path;
-use Lintian::Util qw(open_gz perm2oct);
+use Lintian::Util qw(open_gz perm2oct resolve_pkg_path);
 
 =head1 NAME
 
@@ -227,6 +227,13 @@ sub _fetch_extracted_dir {
             warnings::warnif('Lintian::Collect',
                 qq{Argument to $field had leading "/" or "./"});
         }
+        if ($file =~ m{(?: ^|/ ) \.\. (?: /|$ )}xsm) {
+            # possible traversal - double check it and (if needed)
+            # stop it before it gets out of hand.
+            if (resolve_pkg_path('/', $file) eq '') {
+                croak qq{The path "$file" is not within the package root};
+            }
+        }
         return "$dir/$file" if $file ne '';
     }
     return $dir;

-- 
Debian package checker
Reply to: