[SCM] Debian package checker branch, master, updated. 2.5.13-51-g7510809
The following commit has been merged in the master branch:
commit 62004f402c3614bb62d3d0b41ca87600de0b8fc1
Author: Niels Thykier <niels@thykier.net>
Date: Sat Jun 29 13:15:27 2013 +0200
c/menus.pm: Fix broken symlink test (CVE-2013-1429)
Signed-off-by: Niels Thykier <niels@thykier.net>
diff --git a/checks/menus.pm b/checks/menus.pm
index a11fa2e..5cd3d3c 100644
--- a/checks/menus.pm
+++ b/checks/menus.pm
@@ -175,10 +175,11 @@ if ($docbase_file) {
opendir(my $dirfd, $info->lab_data_path('doc-base'));
my $dbfile;
while (defined($dbfile = readdir($dirfd)) ) {
+ next if $dbfile eq '.' or $dbfile eq '..';
my $dbpath = $info->lab_data_path ("doc-base/$dbfile");
# don't try to parse executables, plus we already warned about it
# - skip symlinks as well, unlikely to be used for real doc-base files.
- next if -x $dbfile or -l $dbfile;
+ next if -x $dbpath or -l $dbpath or not -f $dbpath;
check_doc_base_file ($dbfile, $dbpath, $pkg, \%all_files, \%all_links,
$group);
}
diff --git a/debian/changelog b/debian/changelog
index fcacc8e..c7fc9d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -28,6 +28,9 @@ lintian (2.5.14) UNRELEASED; urgency=low
will now trigger bad-version-number instead.
+ [NT] Properly quote package names used in regular expressions.
Thanks to Mattias Ellert for the report. (Closes: #714427)
+ * checks/menus.pm:
+ + [NT] Fix a bug in checking for symlinks that could possibly
+ make lintian follow an unsafe symlink. (CVE-2013-1429)
* coll/*:
+ [NT] Set "Auto-Remove: yes" on several collections to
--
Debian package checker
Reply to: