Package: lintian Version: 2.5.12 Severity: normal Hi! The new (re #705553) “source-contains-unsafe-symlink” tag currently produces false positives for symlinks starting in ../../ (or otherwise ascending two or more levels of the directory hierarchy) because the respective check in the find_cruft function is based on the dirname $_ (the basename of the current file, whose dirname is always ".") instead of $name (its path relative to the root directory of the source package). See <http://snapshot.debian.org/archive/debian/20130505T093307Z/pool/main/i/ikiwiki/ikiwiki_3.20130504.dsc> for an example of a package with a couple of false positives. The attached patch seems to do the trick, but I haven’t verified its effects extensively. Cheers, Michael
From 33cee708ddb68990d9ef0258a86be2ae8d43844a Mon Sep 17 00:00:00 2001
From: Michael Schutte <michi@debian.org>
Date: Fri, 10 May 2013 23:30:10 +0200
Subject: [PATCH] c/cruft: Don't consider all ../../** symlinks unsafe
$_ in find_cruft is set to the basename of the examined file. The
effect of the link destination on basename($_) is currently used in
order to check whether a symlink escapes the root directory of the
source package; this results in false positives for all symlinks moving
up more than one level, as basename($_) is always ".". Base this check
on the full relative path to the file ($name) instead.
diff --git a/checks/cruft b/checks/cruft
index b003ecb..ec079f9 100644
--- a/checks/cruft
+++ b/checks/cruft
@@ -359,7 +359,7 @@ sub find_cruft {
}
if (-l) {
my $target = readlink($_);
- my $dirname = dirname($_);
+ my $dirname = dirname($name);
my $normalized;
# If it is an absolute link, it escapes the root by default
if ($target !~ m{\A / }xsm) {
--
1.7.10.4
Attachment:
signature.asc
Description: Digital signature