[SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
The following commit has been merged in the squeeze branch:
commit 905b86d5cc06eaec90b8814607f1478fb5f717a9
Author: Niels Thykier <niels@thykier.net>
Date: Thu Apr 4 23:33:42 2013 +0200
c/init.d: Guard against possible symlink traversals
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/init.d b/checks/init.d
index 5fa6213..5454286 100644
--- a/checks/init.d
+++ b/checks/init.d
@@ -77,7 +77,9 @@ my $action_r = qr/\w+/;
my $exclude_r = qr/if\s+\[\s+-x\s+\S*update-rc\.d/;
# read postinst control file
-if (open(IN, '<', $postinst)) {
+if ( -f $postinst and not -l $postinst) {
+ open(IN, '<', $postinst)
+ or fail "open postinst: $!";
while (<IN>) {
next if /$exclude_r/o;
s/\#.*$//o;
@@ -93,11 +95,13 @@ if (open(IN, '<', $postinst)) {
tag "output-of-updaterc.d-not-redirected-to-dev-null", "$name postinst";
}
}
+ close(IN);
}
-close(IN);
# read preinst control file
-if (open(IN, '<', $preinst)) {
+if ( -f $preinst and not -l $preinst) {
+ open(IN, '<', $preinst)
+ or fail "open preinst: $!";
while (<IN>) {
next if /$exclude_r/o;
s/\#.*$//o;
@@ -110,7 +114,9 @@ if (open(IN, '<', $preinst)) {
}
# read postrm control file
-if (open(IN, '<', $postrm)) {
+if ( -f $postrm and not -l $postrm) {
+ open(IN, '<', $postrm)
+ or fail "open postrm: $!";
while (<IN>) {
next if /$exclude_r/o;
s/\#.*$//o;
@@ -127,7 +133,9 @@ if (open(IN, '<', $postrm)) {
}
# read prerm control file
-if (open(IN, '<', $prerm)) {
+if ( -f $prerm and not -l $prerm) {
+ open(IN, '<', $prerm)
+ or fail "open prerm: $!";
while (<IN>) {
next if /$exclude_r/o;
s/\#.*$//o;
diff --git a/debian/changelog b/debian/changelog
index 367b794..6e24b82 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ lintian (2.4.3+squeeze2) stable; urgency=low
* checks/debconf:
+ [NT] Fix several path traversal issues that could leak
information about the host system.
+ * checks/init.d:
+ + [NT] Fix possible symlink traversal that could leak
+ information about the host system.
* checks/md5sums:
+ [NT] Fix path traversal issue that could leak information
about the host system.
--
Debian package checker
Reply to: