The following commit has been merged in the master branch:
commit dde03d107915a7f5cfb36b214a2681196bc700f9
Author: Michael Schutte <[email protected]>
Date: Fri May 10 23:30:10 2013 +0200
c/cruft: Don't consider all ../../** symlinks unsafe
$_ in find_cruft is set to the basename of the examined file. The
effect of the link destination on basename($_) is currently used in
order to check whether a symlink escapes the root directory of the
source package; this results in false positives for all symlinks moving
up more than one level, as basename($_) is always ".". Base this check
on the full relative path to the file ($name) instead.
[nthykier: Fixup the test with an incorrect tags file]
Signed-off-by: Niels Thykier <[email protected]>
diff --git a/checks/cruft b/checks/cruft
index b003ecb..ec079f9 100644
--- a/checks/cruft
+++ b/checks/cruft
@@ -359,7 +359,7 @@ sub find_cruft {
}
if (-l) {
my $target = readlink($_);
- my $dirname = dirname($_);
+ my $dirname = dirname($name);
my $normalized;
# If it is an absolute link, it escapes the root by default
if ($target !~ m{\A / }xsm) {
diff --git a/debian/changelog b/debian/changelog
index 6bfa148..50561a5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,10 @@ lintian (2.5.13) UNRELEASED; urgency=low
(Closes: #706166)
+ [NT] Flag all absolute symlinks in source packages as
"unsafe". (Closes: #697164)
+ + [NT] Fix false-positive source-contains-unsafe-symlink
+ for symlinks ascending one or more levels without escaping
+ the package root. Thanks to Michael Schutte for the
+ report and the patch. (Closes: #707742)
* checks/debhelper{,.desc}:
+ [NT] Retire some tags that is no longer relevant in the
Jessie development cycle.
diff --git a/t/source/debian-source-dir-traversal-1/Makefile
b/t/source/debian-source-dir-traversal-1/Makefile
index 271bf09..dfcf94b 100644
--- a/t/source/debian-source-dir-traversal-1/Makefile
+++ b/t/source/debian-source-dir-traversal-1/Makefile
@@ -11,6 +11,9 @@ all:
mkdir $(dir)/debian/source
echo 1.0 > $(dir)/debian/source/format
# link to index file for the lab entry
+ # - NB: This should not trigger source-contains-unsafe-symlink
+ # because the link it self is not unsafe (i.e. it is safe
+ # relative to unpacked, but unsafe relative to debfiles)
ln -s ../../index $(dir)/debian/source/git-patches
mkdir $(dir)/debian/patches
touch $(dir)/debian/patches/series
diff --git a/t/source/debian-source-dir-traversal-1/tags
b/t/source/debian-source-dir-traversal-1/tags
index 455947e..e69de29 100644
--- a/t/source/debian-source-dir-traversal-1/tags
+++ b/t/source/debian-source-dir-traversal-1/tags
@@ -1 +0,0 @@
-E: debian-source-dir-traversal-1 source: source-contains-unsafe-symlink
git-patches
--
Debian package checker
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
