The following commit has been merged in the master branch:
commit 1e84a1bd2c7b175cd15934345af61841a7435eda
Author: Raphaël Hertzog <[email protected]>
Date: Fri Mar 5 22:07:30 2010 +0100
Dpkg::Source::Package::V3::quilt: sanity check of series file
A series file should only contain path pointing inside debian/patches/
and thus "../" are forbidden. Given that the path to patches appear
in the patch command-line with -B .pc/$path, a carefully crafted
path could lead patch to overwrite an arbitrary file outside of the
destination directory with a file provided in the source package.
diff --git a/debian/changelog b/debian/changelog
index d2f8ca5..d417a62 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -73,6 +73,9 @@ dpkg (1.15.6) UNRELEASED; urgency=low
modify files outside of the target directory and unpacking a source package
should not be able to have any side-effect outside of the target
directory. Fixes CVE-2010-0396.
+ * Also error out when the quilt series contains a path with "/../" as this
+ can cause patch to create files outside of the source package due
+ to the -B .pc/$path option that it gets.
[ Guillem Jover ]
* Handle argument parsing in dpkg-checkbuilddeps and dpkg-scanpackages
diff --git a/scripts/Dpkg/Source/Package/V3/quilt.pm
b/scripts/Dpkg/Source/Package/V3/quilt.pm
index 698b747..58c494b 100644
--- a/scripts/Dpkg/Source/Package/V3/quilt.pm
+++ b/scripts/Dpkg/Source/Package/V3/quilt.pm
@@ -123,6 +123,7 @@ sub read_patch_list {
}
}
next if $opts{"skip_auto"} and $_ eq $auto_patch;
+ error(_g("%s contains an insecure path: %s"), $file, $_) if
m{(^|/)\.\./};
push @patches, $_;
}
close(SERIES);
--
dpkg's main repository
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
