[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#637384: pu: package lintian/2.4.3+squeeze1



Package: release.debian.org
Severity: normal
Tags: patch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

I would like permission to backport the following security
related patch to Lintian in stable.  The security team has
already told me that they were not interested in a security
upload.
  As far as I know, oldstable is not vulnerable.

The patch includes a test that can be run by executing:

 $ debian/rules runtests onlyrun=debian-source-dir-traversal-2

Note that the full test suite will fail to due an unrelated
problem (namely that lintian relies on system time for its
"ancient-standards-version" tag).

Thank you in advance,
~Niels



*** 0001-Prevent-info-disclosure-via-symlinks-in-c-debian-sou.patch
- From 2ba0ab7c716eee3adc79b5d9dab5ccccea1699a7 Mon Sep 17 00:00:00 2001
From: Niels Thykier <niels@thykier.net>
Date: Wed, 10 Aug 2011 20:51:29 +0200
Subject: [PATCH] Prevent info disclosure via symlinks in c/debian-source-dir

Lintian could be tricked into revealing the presence of one or
more files on the host system via specially crafted source
packages.

This is a backport of 765609fc11e93449637ddb1e4668b9242d93078b
- ---
 checks/debian-source-dir                         |    4 +-
 debian/changelog                                 |    9 ++++++++
 t/source/debian-source-dir-traversal-2/Makefile  |   23 ++++++++++++++++++++++
 t/source/debian-source-dir-traversal-2/changelog |    8 +++++++
 t/source/debian-source-dir-traversal-2/control   |   14 +++++++++++++
 t/source/debian-source-dir-traversal-2/copyright |   22 +++++++++++++++++++++
 t/source/debian-source-dir-traversal-2/dsc.in    |   14 +++++++++++++
 t/source/debian-source-dir-traversal-2/rules     |    3 ++
 t/source/debian-source-dir-traversal-2/tags      |    2 +
 9 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100644 t/source/debian-source-dir-traversal-2/Makefile
 create mode 100644 t/source/debian-source-dir-traversal-2/changelog
 create mode 100644 t/source/debian-source-dir-traversal-2/control
 create mode 100644 t/source/debian-source-dir-traversal-2/copyright
 create mode 100644 t/source/debian-source-dir-traversal-2/dsc.in
 create mode 100755 t/source/debian-source-dir-traversal-2/rules
 create mode 100644 t/source/debian-source-dir-traversal-2/tags

diff --git a/checks/debian-source-dir b/checks/debian-source-dir
index 91e10c8..4b489be 100644
- --- a/checks/debian-source-dir
+++ b/checks/debian-source-dir
@@ -36,7 +36,7 @@ my $pkg = shift;
 my $type = shift;
 my $info = shift;
 
- -if (-e "debfiles/source/format") {
+if (-e "debfiles/source/format" && ! -l "debfiles/source/format") {
     open(FORMAT, "<", "debfiles/source/format") or
         fail("cannot read debian/source/format: $!");
     my $format = <FORMAT>;
@@ -46,7 +46,7 @@ if (-e "debfiles/source/format") {
     tag "missing-debian-source-format";
 }
 
- -if (-d "debfiles/source") {
+if (! -l 'debfiles/source' && -d "debfiles/source") {
     opendir(DEBSRC, "debfiles/source") or fail("cannot opendir debian/source/: $!");
     my $file;
     while ($file = readdir(DEBSRC)) {
diff --git a/debian/changelog b/debian/changelog
index 25709f9..c95c6a3 100755
- --- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+lintian (2.4.3+squeeze1) stable; urgency=low
+
+  * checks/debian-source-dir:
+    + [NT] Fixed information disclosure issue, where Lintian could
+      be tricked into disclosing the present of files on the host
+      system via specially crafted source packages.
+
+ -- Niels Thykier <niels@thykier.net>  Wed, 10 Aug 2011 20:53:04 +0200
+
 lintian (2.4.3) unstable; urgency=low
 
   The "Policy 3.9.1" release.
diff --git a/t/source/debian-source-dir-traversal-2/Makefile b/t/source/debian-source-dir-traversal-2/Makefile
new file mode 100644
index 0000000..10d87d2
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/Makefile
@@ -0,0 +1,23 @@
+name = debian-source-dir-traversal-2
+dir  = $(name)-1
+
+all:
+	mkdir $(dir)
+	mkdir $(dir)/debian
+	cp changelog copyright control rules $(dir)/debian/
+	# Link to the lab entry - should trigger a myriad of
+	# "unknown-file-in-debian-source" tags, if lintian is vulnerable
+	ln -s ../ $(dir)/debian/source
+	tar cfz $(name)_1.tar.gz $(dir)
+	cp dsc.in $(name)_1.dsc
+	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
+	    'BEGIN { $$h = get_file_checksum("sha1", "$(name)_1.tar.gz") } s/\@SHA1\@/$$h/g' $(name)_1.dsc
+	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
+	    'BEGIN { $$h = get_file_checksum("sha256", "$(name)_1.tar.gz") } s/\@SHA256\@/$$h/g' $(name)_1.dsc
+	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
+	    'BEGIN { $$h = get_file_checksum("md5", "$(name)_1.tar.gz") } s/\@MD5\@/$$h/g' $(name)_1.dsc
+	perl -i -pe 'BEGIN { $$s = (stat "$(name)_1.tar.gz")[7] } s/\@SIZE\@/$$s/g' $(name)_1.dsc
+
+clean:
+	rm -rf $(dir)
+	rm -f $(name)_1*
diff --git a/t/source/debian-source-dir-traversal-2/changelog b/t/source/debian-source-dir-traversal-2/changelog
new file mode 100644
index 0000000..43d3dbd
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/changelog
@@ -0,0 +1,8 @@
+debian-source-dir-traversal-2 (1) unstable; urgency=low
+
+  * Lintian Test Suite.
+  * Test: debian-source-dir-traversal-2
+
+  * Suppress "should close ITP bug" messages.  (Closes: #123456)
+
+ -- Debian Lintian Maintainers <lintian-maint@debian.org>  Fri, 15 Jul 2011 15:30:00 +0200
diff --git a/t/source/debian-source-dir-traversal-2/control b/t/source/debian-source-dir-traversal-2/control
new file mode 100644
index 0000000..b29fd2b
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/control
@@ -0,0 +1,14 @@
+Source: debian-source-dir-traversal-2
+Section: devel
+Priority: optional
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Build-Depends: debhelper (>= 7)
+Standards-Version: 3.9.1
+
+Package: debian-source-dir-traversal-2
+Architecture: all
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Test for directory traversal issues via field names or values
+ This is a test package designed to exercise some feature or tag of
+ Lintian.  It is part of the Lintian test suite and may do very odd
+ things.  It should not be installed like a regular package.
diff --git a/t/source/debian-source-dir-traversal-2/copyright b/t/source/debian-source-dir-traversal-2/copyright
new file mode 100644
index 0000000..6afc448
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/copyright
@@ -0,0 +1,22 @@
+This is part of the testsuite of lintian. See the file debian/copyright
+in the lintian source directory for more details.
+
+So far as it is copyrightable at all, this test case is
+   Copyright © 2009 Russ Allbery <rra@debian.org>
+   Copyright © 2009 Adam D. Barratt <adam@adam-barratt.org.uk>
+
+This program is free software; you may redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This is distributed in the hope that it will be useful, but without
+any warranty; without even the implied warranty of merchantability or
+fitness for a particular purpose. See the GNU General Public License
+for more details.
+
+A copy of the GNU General Public License version 2 is available as
+/usr/share/common-licenses/GPL-2 in the Debian GNU/Linux distribution
+or at http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+You can also obtain it by writing to the Free Software Foundation, Inc.,
+51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
diff --git a/t/source/debian-source-dir-traversal-2/dsc.in b/t/source/debian-source-dir-traversal-2/dsc.in
new file mode 100644
index 0000000..a66f712
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: debian-source-dir-traversal-2
+Binary: debian-source-dir-traversal-2
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: 3.9.1
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
+Files:
+ @MD5@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
diff --git a/t/source/debian-source-dir-traversal-2/rules b/t/source/debian-source-dir-traversal-2/rules
new file mode 100755
index 0000000..cbe925d
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/rules
@@ -0,0 +1,3 @@
+#!/usr/bin/make -f
+%:
+	dh $@
diff --git a/t/source/debian-source-dir-traversal-2/tags b/t/source/debian-source-dir-traversal-2/tags
new file mode 100644
index 0000000..97fd61a
- --- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/tags
@@ -0,0 +1,2 @@
+I: debian-source-dir-traversal-2 source: missing-debian-source-format
+W: debian-source-dir-traversal-2 source: package-uses-deprecated-debhelper-compat-version 1
- -- 
1.7.5.4


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOQtYgAAoJEAVLu599gGRCOEYQAIVsnv3veE7KrFuUxDW4T06l
oj7j+lCSeVUmeeo1uRgXLSTdSjw0GIM9eiZSGo7A8Amwa9om96va870yclhOUu/j
C/W06MAMlh1lWm9ideEu/if30Dl/+NFbJvKt+PqAfAXYPD2d5/D0cBjNkigBXNDk
w0DSsC5xD5s/9ShkPvCMrEFoe0p+3oxSRwsB0R7GwYbsVxOUc4Z1vduIKiTrkkco
zndbNvYh21ywHSRla6x/+oaBNdjicZjRi0+pbrHEiZJu1BKi4/0jHeRcnElDdLvl
0Zdq9f+glrJq5PB/mpy2elU7ET047iNbh4Kvf83pkKPHChq+8VM1RJZztbll4vEy
x6VxR5kB20e/LQshFH1g1BIV8FF0Ye3xauK4Qq6wkiJBTsh4e5Hi65W0VPjWIY/t
/cDWviZCykjNBrbYTCUE4QFab/1xeMogu69y39KiBcKQF3kaQPYqSCew03gIQsRf
0RSzArnxBBgsHYu/OBQjWUaWyxAxxrJkh/MBqVgNcTwYnCLb+KPJbRIOXm5QFIXX
dCSWN+vGGJ/kc6DBGIJcG/BW/9BedaqG6fNemol7YdlrJJZgcd/kpjbWcRlD8Cqu
tntivuUhM39a1DIkAuBvRB/kymiUsfqoQgDfrcEh6kb6gYz4r6qSfSEfaEuncdf2
V77r6cehHNrJTFAoabHa
=zoHs
-----END PGP SIGNATURE-----



Reply to: