tag #144571 patch
thanks
I've included the attached patch which basically implements the
solution proposed by Colin Watson as
[EMAIL PROTECTED]/dpkg--devel--1.13--patch-22
in my arch branch.
Gruesse,
--
Frank Lichtenheld <[EMAIL PROTECTED]>
www: http://www.djpig.de/
* looking for [EMAIL PROTECTED]/dpkg--devel--1.13--patch-21 to compare with
* comparing to [EMAIL PROTECTED]/dpkg--devel--1.13--patch-21
M scripts/dpkg-source.pl
M debian/changelog
M ChangeLog
* modified files
--- orig/ChangeLog
+++ mod/ChangeLog
@@ -27,6 +27,12 @@
* scripts/dpkg-source.pl: Also check architecture strings and
error out if we find illegal ones.
+ * scripts/dpkg-source.pl: Try to chown files extracted from
+ a tar file to the uid and gid of the user. This should make
+ dpkg-source -x safer to use as root. Also create the temporary
+ directory mode 0700 to not allow anyone exploiting races
+ between the extraction and the chown.
+
2005-08-27 Frank Lichtenheld <[EMAIL PROTECTED]>
* scripts/dpkg-gencontrol.pl: Bail out with an error if parsedep
--- orig/debian/changelog
+++ mod/debian/changelog
@@ -14,6 +14,11 @@
Based on a patch by Matt Zimmerman. Closes: #48711
- Make dpkg-source able to deal with the output of md5sum -b.
Patch by Ingo Saitz. Closes: #316123
+ - dpkg-source -x now tries to chown all files extracted from
+ tar files. The temporary directory is now created with mode
+ 0700, too. Together this should make it safer to run
+ dpkg-source -x as root. Based on suggestions by Marcus
+ Brinkmann and Colin Watson. Closes: #144571, #238460
--
--- orig/scripts/dpkg-source.pl
+++ mod/scripts/dpkg-source.pl
@@ -670,10 +670,11 @@
my $tmp = "$target.tmp-nest";
(my $t = $target) =~ s!.*/!!;
- mkdir($tmp,0755) || &syserr("unable to create `$tmp'");
+ mkdir($tmp,0700) || &syserr("unable to create `$tmp'");
system "chmod", "g-s", $tmp;
print("$progname: unpacking $tarfile\n");
extracttar("$dscdir/$tarfile",$tmp,$t);
+ system "chown", '-R', '-f', join(':',@fowner), "$tmp/$t";
rename("$tmp/$t",$target)
|| &syserr("unable to rename `$tmp/$t' to `$target'");
rmdir($tmp)