The following commit has been merged in the squeeze branch:
commit 9bcbd856565b71a926187e1357661ffe0a552967
Author: Niels Thykier <[email protected]>
Date: Wed Aug 17 15:30:33 2011 +0200
Skip conffiles check if conffiles is a symlink
No normal package uses a symlink in the control.tar.gz and in
this case, the "extra" info for the tags can more or less get
you a dump of an arbitrary file on the host file system.
Conflicts:
checks/conffiles
debian/changelog
diff --git a/checks/conffiles b/checks/conffiles
index 7e43522..495a66b 100644
--- a/checks/conffiles
+++ b/checks/conffiles
@@ -31,7 +31,7 @@ my $type = shift;
my $cf = "control/conffiles";
# conffiles?
-unless (-f $cf) {
+unless (-f $cf && ! -l $cf) {
return 0;
}
diff --git a/checks/etcfiles b/checks/etcfiles
index bc61715..6b28da4 100644
--- a/checks/etcfiles
+++ b/checks/etcfiles
@@ -33,6 +33,8 @@ my %conffiles;
my $conffiles = "control/conffiles";
+return if -l $conffiles;
+
# load conffiles
if (open(IN, '<', $conffiles)) {
while (<IN>) {
diff --git a/debian/changelog b/debian/changelog
index 6ddc675..14136ea 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
lintian (2.4.3+squeeze1) stable; urgency=low
+ * checks/{conffiles,etcfiles}:
+ + [NT] Skip all checks in conffiles is a symlink.
* checks/debian-source-dir:
+ [NT] Fixed information disclosure issue, where Lintian could
be tricked into disclosing the presence of files on the host
diff --git a/t/debs/fields-wildcard-binary/Makefile
b/t/debs/control-files-traversal/Makefile
similarity index 51%
copy from t/debs/fields-wildcard-binary/Makefile
copy to t/debs/control-files-traversal/Makefile
index d232ffd..e265ab1 100644
--- a/t/debs/fields-wildcard-binary/Makefile
+++ b/t/debs/control-files-traversal/Makefile
@@ -1,18 +1,20 @@
-name = fields-wildcard-binary
+name = control-files-traversal
all:
echo '2.0' > debian-binary
- mkdir -p usr/share/doc/$(name)
- cp copyright changelog usr/share/doc/$(name)
- gzip -9 usr/share/doc/$(name)/changelog
+ install -m 0755 -d usr/share/doc/$(name)
+ install -m 0644 changelog copyright usr/share/doc/$(name)
+ gzip --best usr/share/doc/$(name)/changelog
+ md5sum usr/share/doc/$(name)/* > md5sums
+ # Create the traversal symlink - points to md5sums in the lab
+ ln -s ../md5sums conffiles
tar cfz data.tar.gz usr
chown 0:0 control
chmod 644 control
- md5sum usr/share/doc/$(name)/* > md5sums
tar cfz control.tar.gz control md5sums
ar rc $(name).deb \
debian-binary control.tar.gz data.tar.gz
clean:
rm -f *.tar.gz *.deb md5sums debian-binary
- rm -rf usr
+ rm -rf root/
diff --git a/t/debs/control-field-traversal-4/changelog
b/t/debs/control-files-traversal/changelog
similarity index 100%
copy from t/debs/control-field-traversal-4/changelog
copy to t/debs/control-files-traversal/changelog
diff --git a/t/debs/deb-format-record-size/control
b/t/debs/control-files-traversal/control
similarity index 78%
copy from t/debs/deb-format-record-size/control
copy to t/debs/control-files-traversal/control
index 7163fe9..fb1946d 100644
--- a/t/debs/deb-format-record-size/control
+++ b/t/debs/control-files-traversal/control
@@ -1,10 +1,10 @@
-Package: deb-format-record-size
+Package: control-files-traversal
Version: 1.0
Architecture: all
Maintainer: Debian Lintian Maintainers <[email protected]>
Section: devel
Priority: extra
-Description: Test package with a non-standard tar record size
+Description: Test for directory traversal issues via control files
This is a test package designed to exercise some feature or tag of
Lintian. It is part of the Lintian test suite and may do very odd
things. It should not be installed like a regular package. It may
diff --git a/t/debs/control-field-traversal-4/copyright
b/t/debs/control-files-traversal/copyright
similarity index 100%
copy from t/debs/control-field-traversal-4/copyright
copy to t/debs/control-files-traversal/copyright
diff --git a/t/debs/deb-format-record-size/tags
b/t/debs/control-files-traversal/tags
similarity index 100%
copy from t/debs/deb-format-record-size/tags
copy to t/debs/control-files-traversal/tags
--
Debian package checker
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
