[SCM] Debian package checker branch, master, updated. 2.5.12-83-gdde03d1

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, master, updated. 2.5.12-83-gdde03d1
From: "Niels Thykier" <niels@thykier.net>
Date: Sun, 19 May 2013 17:07:36 +0000
Message-id: <[🔎] E1Ue756-0004Rd-Tx@vasks.debian.org>

The following commit has been merged in the master branch:
commit dde03d107915a7f5cfb36b214a2681196bc700f9
Author: Michael Schutte <michi@debian.org>
Date:   Fri May 10 23:30:10 2013 +0200

    c/cruft: Don't consider all ../../** symlinks unsafe
    
    $_ in find_cruft is set to the basename of the examined file.  The
    effect of the link destination on basename($_) is currently used in
    order to check whether a symlink escapes the root directory of the
    source package; this results in false positives for all symlinks moving
    up more than one level, as basename($_) is always ".".  Base this check
    on the full relative path to the file ($name) instead.
    
    [nthykier: Fixup the test with an incorrect tags file]
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/cruft b/checks/cruft
index b003ecb..ec079f9 100644
--- a/checks/cruft
+++ b/checks/cruft
@@ -359,7 +359,7 @@ sub find_cruft {
     }
     if (-l) {
         my $target = readlink($_);
-        my $dirname = dirname($_);
+        my $dirname = dirname($name);
         my $normalized;
         # If it is an absolute link, it escapes the root by default
         if ($target !~ m{\A / }xsm) {
diff --git a/debian/changelog b/debian/changelog
index 6bfa148..50561a5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,10 @@ lintian (2.5.13) UNRELEASED; urgency=low
       (Closes: #706166)
     + [NT] Flag all absolute symlinks in source packages as
       "unsafe".  (Closes: #697164)
+    + [NT] Fix false-positive source-contains-unsafe-symlink
+      for symlinks ascending one or more levels without escaping
+      the package root.  Thanks to Michael Schutte for the
+      report and the patch.  (Closes: #707742)
   * checks/debhelper{,.desc}:
     + [NT] Retire some tags that is no longer relevant in the
       Jessie development cycle.
diff --git a/t/source/debian-source-dir-traversal-1/Makefile b/t/source/debian-source-dir-traversal-1/Makefile
index 271bf09..dfcf94b 100644
--- a/t/source/debian-source-dir-traversal-1/Makefile
+++ b/t/source/debian-source-dir-traversal-1/Makefile
@@ -11,6 +11,9 @@ all:
 	mkdir $(dir)/debian/source
 	echo 1.0 > $(dir)/debian/source/format
 	# link to index file for the lab entry
+	# - NB: This should not trigger source-contains-unsafe-symlink
+	#   because the link it self is not unsafe (i.e. it is safe
+	#   relative to unpacked, but unsafe relative to debfiles)
 	ln -s ../../index $(dir)/debian/source/git-patches
 	mkdir $(dir)/debian/patches
 	touch $(dir)/debian/patches/series
diff --git a/t/source/debian-source-dir-traversal-1/tags b/t/source/debian-source-dir-traversal-1/tags
index 455947e..e69de29 100644
--- a/t/source/debian-source-dir-traversal-1/tags
+++ b/t/source/debian-source-dir-traversal-1/tags
@@ -1 +0,0 @@
-E: debian-source-dir-traversal-1 source: source-contains-unsafe-symlink git-patches

-- 
Debian package checker

Reply to:

Prev by Date: Processed: limit source to lintian, tagging 707400
Next by Date: Processed: limit source to lintian, tagging 707742
Previous by thread: Processed: limit source to lintian, tagging 707400
Next by thread: Processed: limit source to lintian, tagging 707742
Index(es):
- Date
- Thread