[SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
From: "Niels Thykier" <niels@thykier.net>
Date: Tue, 16 Apr 2013 16:40:49 +0000
Message-id: <[🔎] E1US8w5-00055t-4R@vasks.debian.org>

The following commit has been merged in the squeeze branch:
commit 7a07f781503c1cc06eebd6facd42d6f0d9f84d53
Author: Niels Thykier <niels@thykier.net>
Date:   Fri Apr 5 10:08:19 2013 +0200

    coll/changelog-file: Check usr/share/doc/<pkg> is safe
    
    At the same time, stop looking at files in usr/doc/<pkg>.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/collection/changelog-file b/collection/changelog-file
index 49d5f8e..5cb35ce 100755
--- a/collection/changelog-file
+++ b/collection/changelog-file
@@ -32,7 +32,10 @@ my $type = shift;
 
 unlink("changelog");
 
+unlink('NEWS.Debian');
+
 # Pick the first of these files that exists.
+
 my @changelogs = ("unpacked/usr/share/doc/$pkg/changelog.Debian.gz",
 	       "unpacked/usr/share/doc/$pkg/changelog.Debian",
 	       "unpacked/usr/share/doc/$pkg/changelog.debian.gz",
@@ -48,6 +51,13 @@ my @changelogs = ("unpacked/usr/share/doc/$pkg/changelog.Debian.gz",
 
 my $chl;
 
+if (-d "unpacked/usr/share/doc/$pkg"
+    && !is_ancestor_of("unpacked", "unpacked/usr/share/doc/$pkg")) {
+    # If the parent dir is outside this package, pretend we didn't find
+    # anything.
+    return;
+}
+
 for (@changelogs) {
     if (-l $_ || -f $_) {
 	$chl = $_;
@@ -55,6 +65,14 @@ for (@changelogs) {
     }
 }
 
+if (defined($chl) and $chl =~ m{^unpacked/usr/doc/}o) {
+    if (!is_ancestor_of("unpacked", "unpacked/usr/doc/$pkg")) {
+        # If the parent dir is outside this package, pretend we didn't find
+        # anything.
+        return;
+    }
+}
+
 # If the changelog file we found was a symlink, we have to be careful.  It
 # could be a symlink to some file outside of the laboratory and we don't want
 # to end up reading that file by mistake.  Relative links within the same
@@ -93,7 +111,6 @@ if (not defined $chl) {
 
 # Extract NEWS.Debian files as well, with similar precautious.  Ignore any
 # symlinks to other packages here; in that case, we just won't check the file.
-unlink('NEWS.Debian');
 my $news = "unpacked/usr/share/doc/$pkg/NEWS.Debian.gz";
 if (-f $news) {
     if (-l $news) {
diff --git a/debian/changelog b/debian/changelog
index d1f2779..9fd8c1d 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,11 @@ lintian (2.4.3+squeeze2) stable; urgency=low
     + [NT] Fix path traversal issue that could leak information
       about the host system.
 
+  * collection/changelog-file:
+    + [NT] Ignore files in usr/doc/<pkg>.
+    + [NT] Skip collection if usr/share/doc/<pkg> is not contained
+      within the package root.
+
   * lib/Util.pm:
     + [NT] Add sub to check if a path is contained within a given dir.
 

-- 
Debian package checker

Reply to:

Prev by Date: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Next by Date: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Previous by thread: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Next by thread: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Index(es):
- Date
- Thread