This is an automated email from the git hooks/post-receive script. jamessan pushed a commit to branch master in repository devscripts.
commit d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2 Author: James McCoy <[email protected]> Date: Sun Aug 2 09:03:43 2015 -0400 licensecheck: Separate filename from args in file call This prevents the situation where $file happens to be a valid switch for the file command (e.g. -C) which causes side-effects. If properly setup, it's possible to cause file to traverse a symlink and overwrite a file. Closes: #794365, CVE-2015-5705 Signed-off-by: James McCoy <[email protected]> --- debian/changelog | 8 ++++++++ scripts/licensecheck.pl | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 87ea8d3..71f2afa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +devscripts (2.15.8) UNRELEASED; urgency=medium + + * licensecheck: + + Avoid argument injection which may cause file to overwrite a file + through symlink indirection. (Closes: #794365, CVE-2015-5705) + + -- James McCoy <[email protected]> Sun, 02 Aug 2015 08:56:00 -0400 + devscripts (2.15.7) unstable; urgency=medium * licensecheck: diff --git a/scripts/licensecheck.pl b/scripts/licensecheck.pl index 358dc35..78d9fd7 100755 --- a/scripts/licensecheck.pl +++ b/scripts/licensecheck.pl @@ -323,7 +323,7 @@ while (@files) { # Encode::Guess does not work well, use good old file command to get file encoding my $mime; - spawn(exec => ['file', '--brief', '--mime', '--dereference', $file], + spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file], to_string => \$mime, error_to_file => '/dev/null', nocheck => 1, -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
