This is an automated email from the git hooks/post-receive script. jamessan pushed a commit to branch master in repository devscripts.
commit 02c6850d973e3e1246fde72edab27f03d63acc52 Author: James McCoy <[email protected]> Date: Mon Dec 16 23:10:12 2013 -0500 uscan: Fix code execution vulnerabilities with --repack Closes: CVE-2013-6888 Signed-off-by: James McCoy <[email protected]> --- scripts/uscan.pl | 51 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/scripts/uscan.pl b/scripts/uscan.pl index c88c5b8..953783c 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -1467,16 +1467,20 @@ EOF my $newfile_base_gz = "$1.tar.gz"; my $tempdir = tempdir ( "uscanXXXX", TMPDIR => 1, CLEANUP => 1 ); - my $globpattern = "*"; - my $hidden = ".[!.]*"; my $absdestdir = abs_path($destdir); system('unzip', '-q', '-a', '-d', $tempdir, "$destdir/$newfile_base") == 0 - or uscan_die("Repacking from zip or jar to tar.gz failed (could not unzip)\n"); - if (defined glob("$tempdir/$hidden")) { - $globpattern .= " $hidden"; + or uscan_die("Repacking from zip or jar to tar.gz failed (could not unzip)\n"); + my $cwd = cwd(); + chdir($tempdir) or uscan_die("Unable to chdir($tempdir): $!\n"); + eval { + spawn(exec => ['tar', '--owner=root', '--group=root', '--mode=a+rX', '-czf', "$absdestdir/$newfile_base_gz", glob('* .[!.]*')], + env => { GZIP => '-n -9' }, + wait_child => 1); + }; + if ($@) { + uscan_die("Repacking from zip or jar to tar.gz failed (could not create tarball)\n"); } - system("cd $tempdir; GZIP='-n -9' tar --owner=root --group=root --mode=a+rX -czf \"$absdestdir/$newfile_base_gz\" $globpattern") == 0 - or uscan_die("Repacking from zip or jar to tar.gz failed (could not create tarball)\n"); + chdir($cwd); unlink "$destdir/$newfile_base"; $newfile_base = $newfile_base_gz; } @@ -1485,8 +1489,13 @@ EOF |tar\.bz2|tbz2? |tar.lzma|tlz(?:ma?)? |tar.xz|txz)$/x) { - my $filetype = `file -b -k \"$destdir/$newfile_base\"`; - unless ($filetype =~ /compressed data/) { + my $filetype; + eval { + spawn(exec => ['file', '-b', '-k', "$destdir/$newfile_base"], + to_string => \$filetype, + wait_child => 1); + }; + unless (defined $filetype && $filetype =~ /compressed data/) { uscan_warn "$progname warning: $destdir/$newfile_base does not appear to be a compressed file;\nthe file command says: $filetype\nNot processing this file any further!\n"; return 1; } @@ -1504,13 +1513,12 @@ EOF }; if ($data && $data->{'format'} =~ m{^$okformat/?$} && $data->{'files-excluded'} ) { my $tempdir = tempdir ( "uscanXXXX", TMPDIR => 1, CLEANUP => 1 ); - my $globpattern = "*"; - my $hidden = ".[!.]*"; - if (defined glob("$tempdir/$hidden")) { - $globpattern .= " $hidden"; - } my $absdestdir = abs_path($destdir); - unless (system("cd $tempdir; tar -xaf \"$absdestdir/$newfile_base\" 2>/dev/null") == 0) { + eval { + spawn(exec => ['tar', '-xa', '-C', $tempdir, '-f', "$absdestdir/$newfile_base"], + wait_child => 1); + }; + if ($@) { print "-- $newfile_base is no tarball. Try unzip.\n" if $verbose; # try unzip if tar fails - we do want to do something sensible even if no --repack was specified system('command -v unzip >/dev/null 2>&1') >> 8 == 0 @@ -1538,8 +1546,17 @@ EOF } else { my $suffix = 'gz' ; my $newfile_base_dfsg = "${pkg}_${newversion}${excludesuffix}.orig.tar.$suffix" ; - system("cd $tempdir; GZIP='-n -9' tar --owner=root --group=root --mode=a+rX -czf \"$absdestdir/$newfile_base_dfsg\" $globpattern") == 0 - or die("Excluding files failed (could not create tarball)\n"); + my $cwd = cwd(); + chdir($tempdir) or uscan_die("Unable to chdir($tempdir): $!\n"); + eval { + spawn(exec => ['tar', '--owner=root', '--group=root', '--mode=a+rX', '-czf', "$absdestdir/$newfile_base_dfsg", glob('* .[!.]*')], + env => { GZIP => '-n -9' }, + wait_child => 1); + }; + if ($@) { + uscan_die("Excluding files failed (could not create tarball)\n"); + } + chdir($cwd); $symlink = 'files-excluded' # prevent symlinking or renaming } } -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
