[SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
The following commit has been merged in the squeeze branch:
commit 43a7dd309942564b2d06884f1cff23d8d706d677
Author: Niels Thykier <niels@thykier.net>
Date: Thu Apr 4 23:14:58 2013 +0200
c/debconf: Before opening files, check they are not symlinks
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/debconf b/checks/debconf
index d3cd93b..4fced57 100644
--- a/checks/debconf
+++ b/checks/debconf
@@ -105,7 +105,9 @@ if ($type eq 'source') {
return 0;
}
-if (open(PREINST, '<', "control/preinst")) {
+if ( -f "control/preinst" and not -l "control/preinst") {
+ open(PREINST, '<', "control/preinst")
+ or fail "open preinst: $!";
while (<PREINST>) {
s/\#.*//; # Not perfect for Perl, but should be OK
if (m,/usr/share/debconf/confmodule, or
@@ -117,10 +119,10 @@ if (open(PREINST, '<', "control/preinst")) {
close PREINST;
}
-if (-f "control/config") {
+if (-f "control/config" and not -l "control/config") {
$seenconfig=1;
}
-if (-f "control/templates") {
+if (-f "control/templates" and not -l "control/templates") {
$seentemplates=1;
}
@@ -166,6 +168,8 @@ if ($seenconfig and not $seentemplates and not $usesdbconfig) {
tag "no-debconf-config", "";
}
+# $seenconfig will be false if control/config is a symlink or if it was
+# not a file, so we do not have to check with -f/-l here again.
if ($seenconfig and not -x "control/config") {
tag "debconf-config-not-executable", "";
}
@@ -369,7 +373,10 @@ my %templates_used;
my %template_aliases;
for my $file (qw(config prerm postrm preinst postinst)) {
my $potential_makedev = {};
- if (open(IN, '<', "control/$file")) {
+
+ if ( -f "control/$file" and ! -l "control/$file" ) {
+ open(IN, '<', "control/$file")
+ or fail("open $file: $!");
my $usesconfmodule='';
my $obsoleteconfmodule='';
my $db_input='';
diff --git a/debian/changelog b/debian/changelog
index 34b5284..367b794 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,8 @@
lintian (2.4.3+squeeze2) stable; urgency=low
* checks/debconf:
- + [NT] Fix path traversal issue that could leak information
- about the host system.
+ + [NT] Fix several path traversal issues that could leak
+ information about the host system.
* checks/md5sums:
+ [NT] Fix path traversal issue that could leak information
about the host system.
--
Debian package checker
Reply to: