Package: lintian Version: 2.5.12 Severity: normal Hi!
The new (re #705553) “source-contains-unsafe-symlink” tag currently
produces false positives for symlinks starting in ../../ (or otherwise
ascending two or more levels of the directory hierarchy) because the
respective check in the find_cruft function is based on the dirname $_
(the basename of the current file, whose dirname is always ".") instead
of $name (its path relative to the root directory of the source
package). See
<http://snapshot.debian.org/archive/debian/20130505T093307Z/pool/main/i/ikiwiki/ikiwiki_3.20130504.dsc>
for an example of a package with a couple of false positives. The
attached patch seems to do the trick, but I haven’t verified its effects
extensively.
Cheers,
Michael
From 33cee708ddb68990d9ef0258a86be2ae8d43844a Mon Sep 17 00:00:00 2001 From: Michael Schutte <[email protected]> Date: Fri, 10 May 2013 23:30:10 +0200 Subject: [PATCH] c/cruft: Don't consider all ../../** symlinks unsafe $_ in find_cruft is set to the basename of the examined file. The effect of the link destination on basename($_) is currently used in order to check whether a symlink escapes the root directory of the source package; this results in false positives for all symlinks moving up more than one level, as basename($_) is always ".". Base this check on the full relative path to the file ($name) instead. diff --git a/checks/cruft b/checks/cruft index b003ecb..ec079f9 100644 --- a/checks/cruft +++ b/checks/cruft @@ -359,7 +359,7 @@ sub find_cruft { } if (-l) { my $target = readlink($_); - my $dirname = dirname($_); + my $dirname = dirname($name); my $normalized; # If it is an absolute link, it escapes the root by default if ($target !~ m{\A / }xsm) { -- 1.7.10.4
signature.asc
Description: Digital signature
