[devscripts] 01/03: uscan: Fix code execution vulnerabilities with --repack

[James McCoy]

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch wheezy
in repository devscripts.

commit bc5ef295ead601e1fda1511c344b7e7d93486fdc
Author: James McCoy <jamessan at debian.org>
Date:   Mon Dec 16 23:21:51 2013 -0500

    uscan: Fix code execution vulnerabilities with --repack
    
    Closes: CVE-2013-6888
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/changelog |  7 +++++++
 scripts/uscan.pl | 27 ++++++++++++++++++---------
 2 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 6e27597..ea2f58f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+devscripts (2.12.6+deb7u2) stable-security; urgency=high
+
+  * uscan: Repack the tarball and verify it is a compressed archive without
+    allowing arbitrary code execution.  Fixes CVE-2013-6888.
+
+ -- James McCoy <jamessan at debian.org>  Mon, 16 Dec 2013 23:19:38 -0500
+
 devscripts (2.12.6+deb7u1) stable; urgency=low
 
   * Fix build-rdeps to work with Wheezy being stable (Closes: #695975)
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 8723fb4..c9c756b 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1404,16 +1404,20 @@ EOF
 
 	my $newfile_base_gz = "$1.tar.gz";
 	my $tempdir = tempdir ( "uscanXXXX", TMPDIR => 1, CLEANUP => 1 );
-	my $globpattern = "*";
-	my $hidden = ".[!.]*";
 	my $absdestdir = abs_path($destdir);
 	system('unzip', '-q', '-a', '-d', $tempdir, "$destdir/$newfile_base") == 0
-	  or die("Repacking from zip to tar.gz failed (could not unzip)\n");
-	if (defined glob("$tempdir/$hidden")) {
-	    $globpattern .= " $hidden";
+	    or uscan_die("Repacking from zip or jar to tar.gz failed (could not unzip)\n");
+	my $cwd = cwd();
+	chdir($tempdir) or uscan_die("Unable to chdir($tempdir): $!\n");
+	eval {
+	    spawn(exec => ['tar', '--owner=root', '--group=root', '--mode=a+rX', '-czf', "$absdestdir/$newfile_base_gz", glob('* .[!.]*')],
+		  env => { GZIP => '-n -9' },
+		  wait_child => 1);
+	};
+	if ($@) {
+	    uscan_die("Repacking from zip to tar.gz failed (could not create tarball)\n");
 	}
-	system("cd $tempdir; GZIP='-n -9' tar --owner=root --group=root --mode=a+rX -czf \"$absdestdir/$newfile_base_gz\" $globpattern") == 0
-	  or die("Repacking from zip to tar.gz failed (could not create tarball)\n");
+	chdir($cwd);
 	unlink "$destdir/$newfile_base";
 	$newfile_base = $newfile_base_gz;
     }
@@ -1422,8 +1426,13 @@ EOF
 			     |tar\.bz2|tbz2?
 			     |tar.lzma|tlz(?:ma?)?
 			     |tar.xz|txz)$/x) {
-	my $filetype = `file -b -k \"$destdir/$newfile_base\"`;
-	unless ($filetype =~ /compressed data/) {
+	my $filetype;
+	eval {
+	    spawn(exec => ['file', '-b', '-k', "$destdir/$newfile_base"],
+		  to_string => \$filetype,
+		  wait_child => 1);
+	};
+	unless (defined $filetype && $filetype =~ /compressed data/) {
 	    warn "$progname warning: $destdir/$newfile_base does not appear to be a compressed file;\nthe file command says: $filetype\nNot processing this file any further!\n";
 	    return 1;
 	}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git