Bug#829606: jessie-pu: package duck/0.7+deb8u1

[Simon Kainz <skainz@debian.org>]

Hello,

sorry for making this extra complicated :-(

Ok, please see the attached patch, which is the same as the previous
one, but cleaned up - i made a diff without commiting all my changes, so
git had a hard time recognising rename vs. delete&create new.

Sorry for the noise.

Simon



Am 2016-07-29 um 14:20 schrieb Julien Cristau:
> Control: tag -1 moreinfo
> 
> On Mon, Jul  4, 2016 at 18:22:46 +0200, Simon Kainz wrote:
> 
>> Package: release.debian.org
>> Severity: normal
>> Tags: jessie
>> User: release.debian.org@packages.debian.org
>> Usertags: pu
>>
>> Paul Wise found out that duck rund untrusted code from the current directory as
>> well as the ./lib and ./lib/checks directory. The attached patch fixes this
>> issue.
>>
> Hi,
> 
> any chance of a diff from git diff -M or similar so the actual changes
> are easier to spot?
> 
> Thanks,
> Julien
> 

diff --git a/lib/DUCK.pm b/DUCK.pm
similarity index 99%
rename from lib/DUCK.pm
rename to DUCK.pm
index 6012c9a..18846a8 100644
--- a/lib/DUCK.pm
+++ b/DUCK.pm
@@ -24,7 +24,6 @@
 
 use strict;
 use warnings;
-use lib '.';
 
 
 package DUCK;
diff --git a/debian/changelog b/debian/changelog
index e88816e..2bd7e86 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+duck (0.7+deb8u1) jessie-security; urgency=high
+
+  * Fix CVE-2016-1239: Load code from untrusted local dir
+
+  * Update Maintainer email to my Debian email address.
+
+ -- Simon Kainz <skainz@debian.org>  Mon, 04 Jul 2016 17:50:54 +0200
+
 duck (0.7) unstable; urgency=medium
 
   * Change certainty level (certain -> wild-guess) and
diff --git a/debian/control b/debian/control
index ba586ef..c40eee6 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
 Source: duck
 Section: devel
 Priority: optional
-Maintainer: Simon Kainz <simon@familiekainz.at>
+Maintainer: Simon Kainz <skainz@debian.org>
 Build-Depends: debhelper (>= 9),
                libfile-which-perl,
                libmailtools-perl,
diff --git a/debian/duck.install b/debian/duck.install
index 4203e68..120e80a 100644
--- a/debian/duck.install
+++ b/debian/duck.install
@@ -1,2 +1,3 @@
 duck	usr/bin
-lib	usr/share/duck
\ No newline at end of file
+lib	usr/share/duck
+DUCK.pm /usr/share/duck
diff --git a/debian/rules b/debian/rules
index 1a59412..cc5fe0b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,4 +7,4 @@ LIBDIR = lib
 	dh $@
 
 override_dh_auto_test:
-	$(PERL) -Mlib=$(LIBDIR) -wc duck
\ No newline at end of file
+	$(PERL) -wc duck
\ No newline at end of file
diff --git a/duck b/duck
index 4823fa2..0c20372 100755
--- a/duck
+++ b/duck
@@ -24,15 +24,15 @@
 
 use strict;
 
+use lib '/usr/share/duck';
 use lib '/usr/share/duck/lib';
-use lib './lib';
 
 use DUCK;
 use Getopt::Std;
 use Getopt::Long qw(:config pass_through );
 use Data::Dumper;
 use File::Basename;
-require lib;
+#require lib;
 
 sub HELP_MESSAGE();
 sub display_result($;$;$);
@@ -40,10 +40,10 @@ sub missingHelpers();
 
 my $checksdir='/usr/share/duck/lib/checks';
 
- if ( -d "./lib/checks" )
-{
-    $checksdir='./lib/checks';
-}
+# if ( -d "./lib/checks" )
+#{
+#    $checksdir='./lib/checks';
+#}
 
 
 my $try_https=0;
diff --git a/duck.1 b/duck.1
index 1e2f615..6aa5fcd 100644
--- a/duck.1
+++ b/duck.1
@@ -62,7 +62,8 @@ quiet mode. Suppress all output.
 dry run. Don't run any checks, just show entries to be checked.
 .TP
 \fB\--modules-dir=\fRDIRECTORY
-specify modules directory. Mostly useful for developing new checks.
+specify modules directory. Mostly useful for developing new checks. If this parameter is specified, only modules defined in this
+directory are used. You have to copy all \fI*.pm\fR files from \fI/usr/share/duck/lib/checks\fR to the directory specified.
 .TP
 \fB\--no-color\fR
 do not colorize output. See also the \fIDUCK_NOCOLOR\fR environment variable.

Attachment: signature.asc
Description: OpenPGP digital signature