Bug#144571: Patch

Mon, 03 Oct 2005 16:03:12 -0700 

tag #144571 patch
thanks

I've included the attached patch which basically implements the
solution proposed by Colin Watson as
[EMAIL PROTECTED]/dpkg--devel--1.13--patch-22
in my arch branch.

Gruesse,
-- 
Frank Lichtenheld <[EMAIL PROTECTED]>
www: http://www.djpig.de/

* looking for [EMAIL PROTECTED]/dpkg--devel--1.13--patch-21 to compare with
* comparing to [EMAIL PROTECTED]/dpkg--devel--1.13--patch-21
M  scripts/dpkg-source.pl
M  debian/changelog
M  ChangeLog

* modified files

--- orig/ChangeLog
+++ mod/ChangeLog
@@ -27,6 +27,12 @@
        * scripts/dpkg-source.pl: Also check architecture strings and
        error out if we find illegal ones.
 
+       * scripts/dpkg-source.pl: Try to chown files extracted from
+       a tar file to the uid and gid of the user. This should make
+       dpkg-source -x safer to use as root. Also create the temporary
+       directory mode 0700 to not allow anyone exploiting races
+       between the extraction and the chown.
+
 2005-08-27  Frank Lichtenheld  <[EMAIL PROTECTED]>
 
        * scripts/dpkg-gencontrol.pl: Bail out with an error if parsedep


--- orig/debian/changelog
+++ mod/debian/changelog
@@ -14,6 +14,11 @@
       Based on a patch by Matt Zimmerman. Closes: #48711
     - Make dpkg-source able to deal with the output of md5sum -b.
       Patch by Ingo Saitz. Closes: #316123
+    - dpkg-source -x now tries to chown all files extracted from
+      tar files. The temporary directory is now created with mode
+      0700, too. Together this should make it safer to run
+      dpkg-source -x as root. Based on suggestions by Marcus
+      Brinkmann and Colin Watson. Closes: #144571, #238460
 
  --
 


--- orig/scripts/dpkg-source.pl
+++ mod/scripts/dpkg-source.pl
@@ -670,10 +670,11 @@
        my $tmp = "$target.tmp-nest";
        (my $t = $target) =~ s!.*/!!;
 
-       mkdir($tmp,0755) || &syserr("unable to create `$tmp'");
+       mkdir($tmp,0700) || &syserr("unable to create `$tmp'");
        system "chmod", "g-s", $tmp;
        print("$progname: unpacking $tarfile\n");
        extracttar("$dscdir/$tarfile",$tmp,$t);
+       system "chown", '-R', '-f', join(':',@fowner), "$tmp/$t";
        rename("$tmp/$t",$target)
            || &syserr("unable to rename `$tmp/$t' to `$target'");
        rmdir($tmp)

Reply via email to