[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248

The following commit has been merged in the squeeze branch:
commit 43a7dd309942564b2d06884f1cff23d8d706d677
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 23:14:58 2013 +0200

    c/debconf: Before opening files, check they are not symlinks
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/debconf b/checks/debconf
index d3cd93b..4fced57 100644
--- a/checks/debconf
+++ b/checks/debconf
@@ -105,7 +105,9 @@ if ($type eq 'source') {
     return 0;
 }
 
-if (open(PREINST, '<', "control/preinst")) {
+if ( -f "control/preinst" and not -l "control/preinst") {
+    open(PREINST, '<', "control/preinst")
+        or fail "open preinst: $!";
     while (<PREINST>) {
 	s/\#.*//;    # Not perfect for Perl, but should be OK
 	if (m,/usr/share/debconf/confmodule, or
@@ -117,10 +119,10 @@ if (open(PREINST, '<', "control/preinst")) {
     close PREINST;
 }
 
-if (-f "control/config") {
+if (-f "control/config" and not -l "control/config") {
     $seenconfig=1;
 }
-if (-f "control/templates") {
+if (-f "control/templates" and not -l "control/templates") {
     $seentemplates=1;
 }
 
@@ -166,6 +168,8 @@ if ($seenconfig and not $seentemplates and not $usesdbconfig) {
     tag "no-debconf-config", "";
 }
 
+# $seenconfig will be false if control/config is a symlink or if it was
+# not a file, so we do not have to check with -f/-l here again.
 if ($seenconfig and not -x "control/config") {
     tag "debconf-config-not-executable", "";
 }
@@ -369,7 +373,10 @@ my %templates_used;
 my %template_aliases;
 for my $file (qw(config prerm postrm preinst postinst)) {
     my $potential_makedev = {};
-    if (open(IN, '<', "control/$file")) {
+
+    if ( -f "control/$file" and ! -l "control/$file" ) {
+	open(IN, '<', "control/$file")
+	    or fail("open $file: $!");
 	my $usesconfmodule='';
 	my $obsoleteconfmodule='';
 	my $db_input='';
diff --git a/debian/changelog b/debian/changelog
index 34b5284..367b794 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
 lintian (2.4.3+squeeze2) stable; urgency=low
 
   * checks/debconf:
-    + [NT] Fix path traversal issue that could leak information
-      about the host system.
+    + [NT] Fix several path traversal issues that could leak
+      information about the host system.
   * checks/md5sums:
     + [NT] Fix path traversal issue that could leak information
       about the host system.

-- 
Debian package checker
Reply to: