--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: apo@debian.org
Please unblock package xarchiver
[ Reason ]
Fix for Debian bug #990906. Serious data loss if symlinks within
archives point to files which reside outside of the archive and a user
double clicks on the symlink.
[ Impact ]
Debian bug #990906 would not be fixed for Debian 11.
[ Tests ]
Could no longer reproduce the data loss after applying the patch.
[ Risks ]
None. Non-intrusive and straightforward patch.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock xarchiver/1:0.5.4.17-2
diff -Nru xarchiver-0.5.4.17/debian/changelog xarchiver-0.5.4.17/debian/changelog
--- xarchiver-0.5.4.17/debian/changelog 2021-01-26 14:16:53.000000000 +0100
+++ xarchiver-0.5.4.17/debian/changelog 2021-07-13 14:02:25.000000000 +0200
@@ -1,3 +1,11 @@
+xarchiver (1:0.5.4.17-2) unstable; urgency=medium
+
+ * Fix Debian bug #990906. Do not follow symbolic links if the files reside
+ outside the archive. (Closes: #990906)
+ Thanks to David Harte for the report and Ingo Brückl for the patch.
+
+ -- Markus Koschany <apo@debian.org> Tue, 13 Jul 2021 14:02:25 +0200
+
xarchiver (1:0.5.4.17-1) unstable; urgency=medium
* New upstream version 0.5.4.17.
diff -Nru xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch
--- xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch 1970-01-01 01:00:00.000000000 +0100
+++ xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch 2021-07-13 14:02:25.000000000 +0200
@@ -0,0 +1,29 @@
+From 949854e9a74489d8d977aac7a8428ecadd526ff1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingo=20Br=C3=BCckl?= <ib@wupperonline.de>
+Date: Mon, 12 Jul 2021 16:41:35 +0200
+Subject: [PATCH] Never follow symbolic links in xa_collect_files_in_dir()
+
+When temporarily extracted files with paths are needed without path,
+symbolic links must be used as is. It must not be descended into
+directories that are symbolic links, because they could reside outside
+the archive.
+
+This fixes Debian bug #990906.
+---
+ src/string_utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/string_utils.c b/src/string_utils.c
+index 5881be12..a3aa49a5 100644
+--- a/src/string_utils.c
++++ b/src/string_utils.c
+@@ -408,7 +408,8 @@ GString *xa_collect_files_in_dir (const gchar *directory)
+ file = stack->data;
+ stack = g_slist_delete_link(stack, stack);
+
+- if (g_file_test(file, G_FILE_TEST_IS_DIR))
++ if (g_file_test(file, G_FILE_TEST_IS_DIR) &&
++ !g_file_test(file, G_FILE_TEST_IS_SYMLINK))
+ {
+ GDir *dir;
+ const gchar *name;
diff -Nru xarchiver-0.5.4.17/debian/patches/series xarchiver-0.5.4.17/debian/patches/series
--- xarchiver-0.5.4.17/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ xarchiver-0.5.4.17/debian/patches/series 2021-07-13 14:02:25.000000000 +0200
@@ -0,0 +1 @@
+debian-bug-990906.patch
--- End Message ---