This is an automated email from the git hooks/post-receive script. jamessan pushed a commit to branch master in repository devscripts.
commit 0fef671831e667a2abfe459d47589d6ea4eee32b Author: James McCoy <[email protected]> Date: Sat Oct 11 00:19:55 2014 -0400 uupdate: Avoid patching through symlinks for 1.0 source format Closes: #737160 Closes: CVE-2014-1833 Signed-off-by: James McCoy <[email protected]> --- debian/changelog | 6 ++++++ scripts/uupdate.sh | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/debian/changelog b/debian/changelog index 74d70f2..2cfbacb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,12 @@ devscripts (2.14.8) UNRELEASED; urgency=medium with a web page containing a <meta refresh=...> redirect to the actual file, causing uscan to save the web page rather than the file. (Closes: #764367) + * uupdate: When updating a 1.0 source format package, remove any symlinks in + the new upstream source before applying the Debian diff, restoring the + symlinks after. This prevents patch from following the symlinks, which + may point to targets outside of the source tree, when applying the diff. + Thanks to Jakub Wilk for the discovery and suggested fix. + (Closes: #737160, CVE-2014-1833) [ Ron Lee ] * cowpoke: Add --sign and --upload command line overrides. diff --git a/scripts/uupdate.sh b/scripts/uupdate.sh index 7bc36da..d24458a 100755 --- a/scripts/uupdate.sh +++ b/scripts/uupdate.sh @@ -779,6 +779,14 @@ else done fi + # Remove all existing symlinks before applying the patch. We'll + # restore them afterwards, but this avoids patch following symlinks, + # which may point outside of the source tree + declare -a LINKS + while IFS= read -d '' -r link; do + LINKS+=("$link") + done < <(find -type l -printf '%l\0%p\0' -delete) + if $DIFFCAT $DIFF | patch -sNp1 ; then echo "Success! The diffs from version $VERSION worked fine." else @@ -790,6 +798,16 @@ else STATUS=1 fi + # Reinstate symlinks, warning if the + for (( i=0; $i < ${#LINKS[@]}; i=$(($i+2)) )); do + target="${LINKS[$i]}" + link="${LINKS[$(($i+1))]}" + if ! ln -s -T "$target" "$link"; then + echo "$PROGNAME: warning: Unable to restore the '$link' -> '$target' symlink." >&2 + STATUS=1 + fi + done + for file in "${MOVEDFILES[@]}"; do if [ -e "$file.upstream" ]; then mv $file $file.debdiff -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
