[SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
The following commit has been merged in the squeeze branch:
commit 84879a619162e825c91d0ae49c0d0ba8a01953b9
Author: Niels Thykier <niels@thykier.net>
Date: Thu Apr 4 21:12:31 2013 +0200
c/md5sums: Skip check if the md5sums file is a symlink
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/md5sums b/checks/md5sums
index 7dc6572..0d72da2 100644
--- a/checks/md5sums
+++ b/checks/md5sums
@@ -61,6 +61,10 @@ if (-f "control/conffiles") {
close(C);
}
+# The md5sums file should not be a symlink. If it is, the best
+# we can do is to leave it alone.
+return if -l $control;
+
# Is there a md5sums control file?
unless (-f $control) {
# ignore if package contains no files
diff --git a/debian/changelog b/debian/changelog
index e84f58d..de3a19b 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lintian (2.4.3+squeeze2) stable; urgency=low
+
+ * checks/md5sums:
+ + [NT] Fix path traversal issue that could leak information
+ about the host system.
+
+ -- Niels Thykier <niels@thykier.net> Fri, 05 Apr 2013 22:00:00 +0200
+
lintian (2.4.3+squeeze1) stable; urgency=low
* checks/{conffiles,etcfiles}:
diff --git a/t/debs/fields-wildcard-binary/Makefile b/t/debs/md5sums-traversal/Makefile
similarity index 67%
copy from t/debs/fields-wildcard-binary/Makefile
copy to t/debs/md5sums-traversal/Makefile
index d232ffd..6107eb7 100644
--- a/t/debs/fields-wildcard-binary/Makefile
+++ b/t/debs/md5sums-traversal/Makefile
@@ -1,18 +1,18 @@
-name = fields-wildcard-binary
+name = md5sums-traversal
all:
echo '2.0' > debian-binary
mkdir -p usr/share/doc/$(name)
cp copyright changelog usr/share/doc/$(name)
gzip -9 usr/share/doc/$(name)/changelog
- tar cfz data.tar.gz usr
+ tar czf data.tar.gz usr
chown 0:0 control
chmod 644 control
- md5sum usr/share/doc/$(name)/* > md5sums
- tar cfz control.tar.gz control md5sums
+ ln -s ../copyright md5sums
+ tar czf control.tar.gz control md5sums
ar rc $(name).deb \
debian-binary control.tar.gz data.tar.gz
clean:
rm -f *.tar.gz *.deb md5sums debian-binary
- rm -rf usr
+ rm -rf root/
diff --git a/t/debs/deb-format-lzma/changelog b/t/debs/md5sums-traversal/changelog
similarity index 71%
copy from t/debs/deb-format-lzma/changelog
copy to t/debs/md5sums-traversal/changelog
index 2fbdc04..3299efe 100644
--- a/t/debs/deb-format-lzma/changelog
+++ b/t/debs/md5sums-traversal/changelog
@@ -1,4 +1,4 @@
-deb-format-lzma (1.0) unstable; urgency=low
+md5sums-traversal (1.0) unstable; urgency=low
* A Lintian test case.
diff --git a/t/debs/control-files-traversal/control b/t/debs/md5sums-traversal/control
similarity index 92%
copy from t/debs/control-files-traversal/control
copy to t/debs/md5sums-traversal/control
index fb1946d..70493bf 100644
--- a/t/debs/control-files-traversal/control
+++ b/t/debs/md5sums-traversal/control
@@ -1,4 +1,4 @@
-Package: control-files-traversal
+Package: md5sums-traversal
Version: 1.0
Architecture: all
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
diff --git a/t/debs/control-field-traversal-4/copyright b/t/debs/md5sums-traversal/copyright
similarity index 100%
copy from t/debs/control-field-traversal-4/copyright
copy to t/debs/md5sums-traversal/copyright
diff --git a/t/debs/md5sums-traversal/desc b/t/debs/md5sums-traversal/desc
new file mode 100644
index 0000000..3d20a1a
--- /dev/null
+++ b/t/debs/md5sums-traversal/desc
@@ -0,0 +1,9 @@
+Testname: md5sums-traversal
+Sequence: 6000
+Version: 1.0
+Description: Test for traversals via md5sums symlink
+Options: -C copyright-file,md5sums,control-files -IE
+Test-For: control-file-is-not-a-file
+Test-Against:
+ file-missing-in-md5sums
+ malformed-md5sums-control-file
diff --git a/t/debs/control-files-traversal/tags b/t/debs/md5sums-traversal/tags
similarity index 100%
copy from t/debs/control-files-traversal/tags
copy to t/debs/md5sums-traversal/tags
--
Debian package checker
Reply to: