Hello, sorry for making this extra complicated :-(
Ok, please see the attached patch, which is the same as the previous one, but cleaned up - i made a diff without commiting all my changes, so git had a hard time recognising rename vs. delete&create new. Sorry for the noise. Simon Am 2016-07-29 um 14:20 schrieb Julien Cristau: > Control: tag -1 moreinfo > > On Mon, Jul 4, 2016 at 18:22:46 +0200, Simon Kainz wrote: > >> Package: release.debian.org >> Severity: normal >> Tags: jessie >> User: release.debian....@packages.debian.org >> Usertags: pu >> >> Paul Wise found out that duck rund untrusted code from the current directory >> as >> well as the ./lib and ./lib/checks directory. The attached patch fixes this >> issue. >> > Hi, > > any chance of a diff from git diff -M or similar so the actual changes > are easier to spot? > > Thanks, > Julien >
diff --git a/lib/DUCK.pm b/DUCK.pm similarity index 99% rename from lib/DUCK.pm rename to DUCK.pm index 6012c9a..18846a8 100644 --- a/lib/DUCK.pm +++ b/DUCK.pm @@ -24,7 +24,6 @@ use strict; use warnings; -use lib '.'; package DUCK; diff --git a/debian/changelog b/debian/changelog index e88816e..2bd7e86 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +duck (0.7+deb8u1) jessie-security; urgency=high + + * Fix CVE-2016-1239: Load code from untrusted local dir + + * Update Maintainer email to my Debian email address. + + -- Simon Kainz <ska...@debian.org> Mon, 04 Jul 2016 17:50:54 +0200 + duck (0.7) unstable; urgency=medium * Change certainty level (certain -> wild-guess) and diff --git a/debian/control b/debian/control index ba586ef..c40eee6 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,7 @@ Source: duck Section: devel Priority: optional -Maintainer: Simon Kainz <si...@familiekainz.at> +Maintainer: Simon Kainz <ska...@debian.org> Build-Depends: debhelper (>= 9), libfile-which-perl, libmailtools-perl, diff --git a/debian/duck.install b/debian/duck.install index 4203e68..120e80a 100644 --- a/debian/duck.install +++ b/debian/duck.install @@ -1,2 +1,3 @@ duck usr/bin -lib usr/share/duck \ No newline at end of file +lib usr/share/duck +DUCK.pm /usr/share/duck diff --git a/debian/rules b/debian/rules index 1a59412..cc5fe0b 100755 --- a/debian/rules +++ b/debian/rules @@ -7,4 +7,4 @@ LIBDIR = lib dh $@ override_dh_auto_test: - $(PERL) -Mlib=$(LIBDIR) -wc duck \ No newline at end of file + $(PERL) -wc duck \ No newline at end of file diff --git a/duck b/duck index 4823fa2..0c20372 100755 --- a/duck +++ b/duck @@ -24,15 +24,15 @@ use strict; +use lib '/usr/share/duck'; use lib '/usr/share/duck/lib'; -use lib './lib'; use DUCK; use Getopt::Std; use Getopt::Long qw(:config pass_through ); use Data::Dumper; use File::Basename; -require lib; +#require lib; sub HELP_MESSAGE(); sub display_result($;$;$); @@ -40,10 +40,10 @@ sub missingHelpers(); my $checksdir='/usr/share/duck/lib/checks'; - if ( -d "./lib/checks" ) -{ - $checksdir='./lib/checks'; -} +# if ( -d "./lib/checks" ) +#{ +# $checksdir='./lib/checks'; +#} my $try_https=0; diff --git a/duck.1 b/duck.1 index 1e2f615..6aa5fcd 100644 --- a/duck.1 +++ b/duck.1 @@ -62,7 +62,8 @@ quiet mode. Suppress all output. dry run. Don't run any checks, just show entries to be checked. .TP \fB\--modules-dir=\fRDIRECTORY -specify modules directory. Mostly useful for developing new checks. +specify modules directory. Mostly useful for developing new checks. If this parameter is specified, only modules defined in this +directory are used. You have to copy all \fI*.pm\fR files from \fI/usr/share/duck/lib/checks\fR to the directory specified. .TP \fB\--no-color\fR do not colorize output. See also the \fIDUCK_NOCOLOR\fR environment variable.
signature.asc
Description: OpenPGP digital signature