Hello, sorry for making this extra complicated :-(
Ok, please see the attached patch, which is the same as the previous one, but cleaned up - i made a diff without commiting all my changes, so git had a hard time recognising rename vs. delete&create new. Sorry for the noise. Simon Am 2016-07-29 um 14:20 schrieb Julien Cristau: > Control: tag -1 moreinfo > > On Mon, Jul 4, 2016 at 18:22:46 +0200, Simon Kainz wrote: > >> Package: release.debian.org >> Severity: normal >> Tags: jessie >> User: release.debian....@packages.debian.org >> Usertags: pu >> >> Paul Wise found out that duck rund untrusted code from the current directory >> as >> well as the ./lib and ./lib/checks directory. The attached patch fixes this >> issue. >> > Hi, > > any chance of a diff from git diff -M or similar so the actual changes > are easier to spot? > > Thanks, > Julien >
diff --git a/lib/DUCK.pm b/DUCK.pm
similarity index 99%
rename from lib/DUCK.pm
rename to DUCK.pm
index 6012c9a..18846a8 100644
--- a/lib/DUCK.pm
+++ b/DUCK.pm
@@ -24,7 +24,6 @@
use strict;
use warnings;
-use lib '.';
package DUCK;
diff --git a/debian/changelog b/debian/changelog
index e88816e..2bd7e86 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+duck (0.7+deb8u1) jessie-security; urgency=high
+
+ * Fix CVE-2016-1239: Load code from untrusted local dir
+
+ * Update Maintainer email to my Debian email address.
+
+ -- Simon Kainz <ska...@debian.org> Mon, 04 Jul 2016 17:50:54 +0200
+
duck (0.7) unstable; urgency=medium
* Change certainty level (certain -> wild-guess) and
diff --git a/debian/control b/debian/control
index ba586ef..c40eee6 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
Source: duck
Section: devel
Priority: optional
-Maintainer: Simon Kainz <si...@familiekainz.at>
+Maintainer: Simon Kainz <ska...@debian.org>
Build-Depends: debhelper (>= 9),
libfile-which-perl,
libmailtools-perl,
diff --git a/debian/duck.install b/debian/duck.install
index 4203e68..120e80a 100644
--- a/debian/duck.install
+++ b/debian/duck.install
@@ -1,2 +1,3 @@
duck usr/bin
-lib usr/share/duck
\ No newline at end of file
+lib usr/share/duck
+DUCK.pm /usr/share/duck
diff --git a/debian/rules b/debian/rules
index 1a59412..cc5fe0b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,4 +7,4 @@ LIBDIR = lib
dh $@
override_dh_auto_test:
- $(PERL) -Mlib=$(LIBDIR) -wc duck
\ No newline at end of file
+ $(PERL) -wc duck
\ No newline at end of file
diff --git a/duck b/duck
index 4823fa2..0c20372 100755
--- a/duck
+++ b/duck
@@ -24,15 +24,15 @@
use strict;
+use lib '/usr/share/duck';
use lib '/usr/share/duck/lib';
-use lib './lib';
use DUCK;
use Getopt::Std;
use Getopt::Long qw(:config pass_through );
use Data::Dumper;
use File::Basename;
-require lib;
+#require lib;
sub HELP_MESSAGE();
sub display_result($;$;$);
@@ -40,10 +40,10 @@ sub missingHelpers();
my $checksdir='/usr/share/duck/lib/checks';
- if ( -d "./lib/checks" )
-{
- $checksdir='./lib/checks';
-}
+# if ( -d "./lib/checks" )
+#{
+# $checksdir='./lib/checks';
+#}
my $try_https=0;
diff --git a/duck.1 b/duck.1
index 1e2f615..6aa5fcd 100644
--- a/duck.1
+++ b/duck.1
@@ -62,7 +62,8 @@ quiet mode. Suppress all output.
dry run. Don't run any checks, just show entries to be checked.
.TP
\fB\--modules-dir=\fRDIRECTORY
-specify modules directory. Mostly useful for developing new checks.
+specify modules directory. Mostly useful for developing new checks. If this parameter is specified, only modules defined in this
+directory are used. You have to copy all \fI*.pm\fR files from \fI/usr/share/duck/lib/checks\fR to the directory specified.
.TP
\fB\--no-color\fR
do not colorize output. See also the \fIDUCK_NOCOLOR\fR environment variable.
signature.asc
Description: OpenPGP digital signature
