The following commit has been merged in the master branch:
commit 765609fc11e93449637ddb1e4668b9242d93078b
Author: Niels Thykier <[email protected]>
Date: Wed Aug 10 17:13:48 2011 +0200
Prevent info disclosure via symlinks in c/debian-source-dir
Lintian could be tricked into revealing the presence of one or
more files on the host system via specially crafted source
packages.
diff --git a/checks/debian-source-dir b/checks/debian-source-dir
index 87fe65e..b33fbfc 100644
--- a/checks/debian-source-dir
+++ b/checks/debian-source-dir
@@ -39,7 +39,7 @@ my $info = shift;
my $dsrc = $info->debfiles('source');
-if (-e "$dsrc/format") {
+if ( ! -l "$dsrc/format" && -e "$dsrc/format") {
open(FORMAT, '<', "$dsrc/format") or
fail("cannot read debian/source/format: $!");
my $format = <FORMAT>;
@@ -49,27 +49,31 @@ if (-e "$dsrc/format") {
tag 'missing-debian-source-format';
}
-if (-s "$dsrc/git-patches") {
+if ( ! -l "$dsrc/git-patches" && -s "$dsrc/git-patches") {
open (GITPATCHES, "$dsrc/git-patches")
or fail("cannot open debian/source/git-patches: $!");
if (grep !/^\s*+#|^\s*+$/o, <GITPATCHES>) {
my $dpseries = $info->debfiles('patches/series');
- if (! -r $dpseries ) {
- tag 'git-patches-not-exported';
- } else {
- open (DEBSERIES, $dpseries)
- or fail("cannot open debian/patches/series: $!");
- my $comment_line = <DEBSERIES>;
- my $count = grep !/^\s*+\#|^\s*+$/o, <DEBSERIES>;
- tag 'git-patches-not-exported'
- unless ($count && ($comment_line =~
m/^\s*\#.*quilt-patches-deb-export-hook/o));
- close(DEBSERIES);
+ # gitpkg does not create series as a link, so this is most likely
+ # a traversal attempt.
+ if (! -l $dpseries ) {
+ if (! -r $dpseries ) {
+ tag 'git-patches-not-exported';
+ } else {
+ open (DEBSERIES, $dpseries)
+ or fail("cannot open debian/patches/series: $!");
+ my $comment_line = <DEBSERIES>;
+ my $count = grep !/^\s*+\#|^\s*+$/o, <DEBSERIES>;
+ tag 'git-patches-not-exported'
+ unless ($count && ($comment_line =~
m/^\s*\#.*quilt-patches-deb-export-hook/o));
+ close(DEBSERIES);
+ }
}
}
close(GITPATCHES);
}
-if (-d $dsrc ) {
+if ( ! -l $dsrc && -d $dsrc ) {
opendir(DEBSRC, $dsrc) or fail("cannot opendir debian/source/: $!");
my $file;
while ($file = readdir(DEBSRC)) {
diff --git a/debian/changelog b/debian/changelog
index 4ceb628..2728d09 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -75,9 +75,12 @@ lintian (2.5.2) UNRELEASED; urgency=low
+ [NT] Do not consider "debian/debhelper" a temporary debhelper
file. Some packages uses this a directory to store their
debhelper files.
- * checks/debian-source-dir.desc:
+ * checks/debian-source-dir{,.desc}:
+ [NT] Added missing word in the tag description for
git-patches-not-exported.
+ + [NT] Fixed information disclosure issue, where Lintian could
+ be tricked into disclosing the present of files on the host
+ system via specially crafted source packages.
* checks/duplicate-files:
+ [NT] Exclude __init__.py files from the check as they are
required even if they are empty. Thanks to Daniele Tricoli
diff --git a/t/source/control-field-traversal-3/Makefile
b/t/source/debian-source-dir-traversal-1/Makefile
similarity index 74%
copy from t/source/control-field-traversal-3/Makefile
copy to t/source/debian-source-dir-traversal-1/Makefile
index 8bf06c1..284c306 100644
--- a/t/source/control-field-traversal-3/Makefile
+++ b/t/source/debian-source-dir-traversal-1/Makefile
@@ -1,13 +1,19 @@
-name = control-field-traversal-3
+name = debian-source-dir-traversal-1
dir = $(name)-1
all:
mkdir $(dir)
mkdir $(dir)/debian
cp changelog copyright control rules $(dir)/debian/
+ # prevent patch-system-but-no-source-readme
+ echo "Hallo World" > $(dir)/debian/README.source
echo 7 > $(dir)/debian/compat
mkdir $(dir)/debian/source
echo 1.0 > $(dir)/debian/source/format
+ # link to index file for the lab entry
+ ln -s ../../index $(dir)/debian/source/git-patches
+ mkdir $(dir)/debian/patches
+ touch $(dir)/debian/patches/series
tar cfz $(name)_1.tar.gz $(dir)
cp dsc.in $(name)_1.dsc
perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
diff --git a/t/source/debian-source-dir-traversal-1/desc
b/t/source/debian-source-dir-traversal-1/desc
new file mode 100644
index 0000000..7c1598c
--- /dev/null
+++ b/t/source/debian-source-dir-traversal-1/desc
@@ -0,0 +1,4 @@
+Testname: debian-source-dir-traversal-1
+Sequence: 6000
+Version: 1.0
+Description: Test for information discloure via d/source
diff --git a/t/source/debian-source-dir-traversal-1/dsc.in
b/t/source/debian-source-dir-traversal-1/dsc.in
new file mode 100644
index 0000000..8bf7ec8
--- /dev/null
+++ b/t/source/debian-source-dir-traversal-1/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: debian-source-dir-traversal-1
+Binary: debian-source-dir-traversal-1
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <[email protected]>
+Standards-Version: 3.9.2
+Build-Depends: debhelper (>= 7), quilt
+Checksums-Sha1:
+ @SHA1@ @SIZE@ debian-source-dir-traversal-1_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ debian-source-dir-traversal-1_1.tar.gz
+Files:
+ @MD5@ @SIZE@ debian-source-dir-traversal-1_1.tar.gz
diff --git a/t/debs/deb-format-record-size/tags
b/t/source/debian-source-dir-traversal-1/tags
similarity index 100%
copy from t/debs/deb-format-record-size/tags
copy to t/source/debian-source-dir-traversal-1/tags
diff --git a/t/source/control-field-traversal-2/Makefile
b/t/source/debian-source-dir-traversal-2/Makefile
similarity index 79%
copy from t/source/control-field-traversal-2/Makefile
copy to t/source/debian-source-dir-traversal-2/Makefile
index 3eff987..10d87d2 100644
--- a/t/source/control-field-traversal-2/Makefile
+++ b/t/source/debian-source-dir-traversal-2/Makefile
@@ -1,13 +1,13 @@
-name = control-field-traversal-2
+name = debian-source-dir-traversal-2
dir = $(name)-1
all:
mkdir $(dir)
mkdir $(dir)/debian
cp changelog copyright control rules $(dir)/debian/
- echo 7 > $(dir)/debian/compat
- mkdir $(dir)/debian/source
- echo 1.0 > $(dir)/debian/source/format
+ # Link to the lab entry - should trigger a myriad of
+ # "unknown-file-in-debian-source" tags, if lintian is vulnerable
+ ln -s ../ $(dir)/debian/source
tar cfz $(name)_1.tar.gz $(dir)
cp dsc.in $(name)_1.dsc
perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
diff --git a/t/source/debian-source-dir-traversal-2/desc
b/t/source/debian-source-dir-traversal-2/desc
new file mode 100644
index 0000000..5832730
--- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/desc
@@ -0,0 +1,4 @@
+Testname: debian-source-dir-traversal-2
+Sequence: 6000
+Version: 1.0
+Description: Test for information discloure via d/source
diff --git a/t/source/debian-source-dir-traversal-2/dsc.in
b/t/source/debian-source-dir-traversal-2/dsc.in
new file mode 100644
index 0000000..5827f4b
--- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/dsc.in
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: debian-source-dir-traversal-2
+Binary: debian-source-dir-traversal-2
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <[email protected]>
+Standards-Version: 3.9.2
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
+Files:
+ @MD5@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
diff --git a/t/source/debian-source-dir-traversal-2/tags
b/t/source/debian-source-dir-traversal-2/tags
new file mode 100644
index 0000000..97fd61a
--- /dev/null
+++ b/t/source/debian-source-dir-traversal-2/tags
@@ -0,0 +1,2 @@
+I: debian-source-dir-traversal-2 source: missing-debian-source-format
+W: debian-source-dir-traversal-2 source:
package-uses-deprecated-debhelper-compat-version 1
--
Debian package checker
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
