[SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
From: "Niels Thykier" <niels@thykier.net>
Date: Tue, 16 Apr 2013 16:40:47 +0000
Message-id: <[🔎] E1US8w3-00054j-I7@vasks.debian.org>

The following commit has been merged in the squeeze branch:
commit 6068e67a1933c3c23375b571684ea6e015da99bb
Author: Niels Thykier <niels@thykier.net>
Date:   Thu Apr 4 22:21:20 2013 +0200

    c/debconf: Check the sanity of the Binaries field
    
    Do a very strict check of the contents of the Binaries field, before
    using any of the "package names" listed in it as partial filenames.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/debconf b/checks/debconf
index f1b99a9..d3cd93b 100644
--- a/checks/debconf
+++ b/checks/debconf
@@ -21,6 +21,7 @@
 package Lintian::debconf;
 use strict;
 
+use Lintian::Check qw($PKGNAME_REGEX);
 use Lintian::Relation;
 use Lintian::Tags qw(tag);
 use Util;
@@ -69,6 +70,11 @@ my $usesmultiselect='';
 
 if ($type eq 'source') {
     my $binaries = $info->field('binary');
+    # no binary field?  There is not much we can do about it here.
+    return unless defined $binaries;
+    # do not trust the contents of that field any further than we can
+    # throw it.
+    return unless $binaries =~ m{^$PKGNAME_REGEX (?:\s*+ , \s*+ $PKGNAME_REGEX)*+ $}xsm;
     chomp $binaries;
     my @files = map { "$_.templates" } split /,\s+/, $binaries;
     push @files, "templates";
diff --git a/debian/changelog b/debian/changelog
index de3a19b..34b5284 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
 lintian (2.4.3+squeeze2) stable; urgency=low
 
+  * checks/debconf:
+    + [NT] Fix path traversal issue that could leak information
+      about the host system.
   * checks/md5sums:
     + [NT] Fix path traversal issue that could leak information
       about the host system.
diff --git a/lib/Lintian/Check.pm b/lib/Lintian/Check.pm
index 6d8cb36..2985eaf 100644
--- a/lib/Lintian/Check.pm
+++ b/lib/Lintian/Check.pm
@@ -28,7 +28,7 @@ use Lintian::Data;
 use Lintian::Tags qw(tag);
 
 our @ISA    = qw(Exporter);
-our @EXPORT = qw(check_maintainer check_spelling check_spelling_picky);
+our @EXPORT = qw(check_maintainer check_spelling check_spelling_picky $PKGNAME_REGEX);
 
 =head1 NAME
 
@@ -288,6 +288,21 @@ sub check_spelling_picky {
 
 =back
 
+=head1 VARIABLES
+
+=over 4
+
+=item $PKGNAME_REGEX
+
+Regular expression that matches valid package names.  The expression
+is not anchored and does not enforce any "boundry" characters.
+
+=cut
+
+our $PKGNAME_REGEX = qr{[a-z0-9][-+\.a-z0-9]+}o;
+
+=back
+
 =head1 AUTHOR
 
 Originally written by Russ Allbery <rra@debian.org> for Lintian.  Based on
diff --git a/t/source/control-file-missing-separator/Makefile b/t/source/debconf-traversal/Makefile
similarity index 92%
copy from t/source/control-file-missing-separator/Makefile
copy to t/source/debconf-traversal/Makefile
index 4ea045a..3ab12c8 100644
--- a/t/source/control-file-missing-separator/Makefile
+++ b/t/source/debconf-traversal/Makefile
@@ -1,4 +1,4 @@
-name = control-file-missing-separator
+name = debconf-traversal
 dir  = $(name)-1
 
 all:
@@ -17,6 +17,7 @@ all:
 	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
 	    'BEGIN { $$h = get_file_checksum("md5", "$(name)_1.tar.gz") } s/\@MD5\@/$$h/g' $(name)_1.dsc
 	perl -i -pe 'BEGIN { $$s = (stat "$(name)_1.tar.gz")[7] } s/\@SIZE\@/$$s/g' $(name)_1.dsc
+	perl -i -pe 's/\@NULL\@/\0/g' $(name)_1.dsc
 
 clean:
 	rm -rf $(dir)
diff --git a/t/tests/cruft-empty-diff/upstream/debian/changelog b/t/source/debconf-traversal/changelog
similarity index 60%
copy from t/tests/cruft-empty-diff/upstream/debian/changelog
copy to t/source/debconf-traversal/changelog
index 98117b4..5ad38dd 100644
--- a/t/tests/cruft-empty-diff/upstream/debian/changelog
+++ b/t/source/debconf-traversal/changelog
@@ -1,8 +1,9 @@
-cruft-empty-diff (1.0-1) unstable; urgency=low
+debconf-traversal (1.0-1) unstable; urgency=low
 
   * Lintian Test Suite.
-  * Test: basic
+  * Test: debconf-traversal
 
   * Suppress "should close ITP bug" messages.  (Closes: #123456)
 
- -- Debian Lintian Maintainers <lintian-maint@debian.org>  Sun, 11 Jan 2009 21:03:14 -0800
+ -- Debian Lintian Maintainers <lintian-maint@debian.org>  Sun, 01 Aug 2010 00:00:00 +0100
+
diff --git a/t/source/unpack-srcpkg-xz/control b/t/source/debconf-traversal/control
similarity index 78%
copy from t/source/unpack-srcpkg-xz/control
copy to t/source/debconf-traversal/control
index c531980..ad80274 100644
--- a/t/source/unpack-srcpkg-xz/control
+++ b/t/source/debconf-traversal/control
@@ -1,14 +1,14 @@
-Source: unpack-srcpkg-xz
+Source: debconf-traversal
 Section: devel
 Priority: optional
 Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
 Build-Depends: debhelper (>= 7)
 Standards-Version: 3.9.1
 
-Package: unpack-srcpkg-xz
+Package: debconf-traversal
 Architecture: all
 Depends: ${misc:Depends}
-Description: Test package for xz-compressed source packages
+Description: Test against traversal issue in c/debconf
  This is a test package designed to exercise some feature or tag of
  Lintian.  It is part of the Lintian test suite and may do very odd
  things.  It should not be installed like a regular package.
diff --git a/t/debs/control-field-traversal-4/copyright b/t/source/debconf-traversal/copyright
similarity index 100%
copy from t/debs/control-field-traversal-4/copyright
copy to t/source/debconf-traversal/copyright
diff --git a/t/source/debconf-traversal/desc b/t/source/debconf-traversal/desc
new file mode 100644
index 0000000..c8f67f9
--- /dev/null
+++ b/t/source/debconf-traversal/desc
@@ -0,0 +1,5 @@
+Testname: debconf-traversal
+Sequence: 6000
+Version: 1.0
+Description: Test for traversal issues via debconf templates
+Test-Against: syntax-error-in-debconf-template
diff --git a/t/source/debconf-traversal/dsc.in b/t/source/debconf-traversal/dsc.in
new file mode 100644
index 0000000..be77d1d
--- /dev/null
+++ b/t/source/debconf-traversal/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: debconf-traversal
+Binary: ../unpacked/debian/changelog@NULL@
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: 3.9.1
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ debconf-traversal_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ debconf-traversal_1.tar.gz
+Files:
+ @MD5@ @SIZE@ debconf-traversal_1.tar.gz
diff --git a/t/source/control-field-traversal-1/rules b/t/source/debconf-traversal/rules
similarity index 100%
copy from t/source/control-field-traversal-1/rules
copy to t/source/debconf-traversal/rules
diff --git a/t/debs/control-files-traversal/tags b/t/source/debconf-traversal/tags
similarity index 100%
copy from t/debs/control-files-traversal/tags
copy to t/source/debconf-traversal/tags

-- 
Debian package checker

Reply to:

Prev by Date: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Next by Date: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Previous by thread: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Next by thread: [SCM] Debian package checker branch, squeeze, updated. 2.4.3-16-gddd5248
Index(es):
- Date
- Thread