[SCM] Git repository for devscripts branch, squeeze, updated. v2.10.69+squeeze3-5-gab3e4a4

James McCoy jamessan at debian.org
Sat Sep 15 19:42:42 UTC 2012 

The following commit has been merged in the squeeze branch:
commit db49f493baaac2387a4dd76370c1018109e31dfc
Author: Adam D. Barratt <adam at adam-barratt.org.uk>
Date:   Fri Sep 14 12:38:14 2012 -0500

    dget: fix arbitrary code execution (CVE-2012-2242)
    
    The change to the last call to system() is just for consistency.
    
    Reviewed-by: Raphael Geissert <geissert at debian.org>
    Signed-off-by: Raphael Geissert <geissert at debian.org>
    Signed-off-by: James McCoy <jamessan at debian.org>

diff --git a/scripts/dget.pl b/scripts/dget.pl
index c2495b2..d69e4ac 100755
--- a/scripts/dget.pl
+++ b/scripts/dget.pl
@@ -105,7 +105,7 @@ sub wget {
     # schemes not supported by all backends
     if ($url =~ m!^(file|copy)://(/.+)!) {
 	if ($1 eq "copy" or not link($2, $file)) {
-	    system "cp -a $2 $file";
+	    system ('cp', '-a', $2, $file);
 	    return $? >> 8;
 	}
 	return;
@@ -175,7 +175,7 @@ sub get_file {
 		    print "$progname: using $path/$file (hardlink)\n" unless $opt->{'quiet'};
 		} else {
 		    print "$progname: using $path/$file (copy)\n" unless $opt->{'quiet'};
-		    system "cp -a $path/$file $file";
+		    system ('cp', '-a', "$path/$file", $file);
 		}
 		last;
 	    }
@@ -192,7 +192,7 @@ sub get_file {
     }
 
     # try apt-get if it is still not there
-    if (not -e $file and $file =~ m!^([a-z0-9.+-]{2,})_[^/]+\.(?:diff\.gz|tar\.gz)$!) {
+    if (not -e $file and $file =~ m!^([a-z0-9][a-z0-9.+-]+)_[^/]+\.(?:diff\.gz|tar\.gz)$!) {
 	my $cmd = "apt-get source --print-uris $1";
 	my $apt = new IO::File("$cmd |") or die "$cmd: $!";
 	while(<$apt>) {
@@ -444,7 +444,7 @@ for my $arg (@ARGV) {
 	    if ($dget_verify) { # We are duplicating work here a bit as
 		# dpkg-source -x will also verify signatures. Still, we
 		# also want to barf with -d, and on unsigned packages.
-		system 'dscverify', $found_dsc;
+		system ('dscverify', $found_dsc);
 		exit $? >> 8 if $? >> 8 != 0;
 	    }
 	    my @cmd = qw(dpkg-source -x);

-- 
Git repository for devscripts

More information about the devscripts-devel mailing list