[devscripts] 02/03: uscan: Follow tar's recommended security practices

James McCoy jamessan at debian.org
Mon Dec 23 20:46:20 UTC 2013 

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch wheezy
in repository devscripts.

commit c05410d62cd20fc3daba67de3f6a2b54086aaedc
Author: James McCoy <jamessan at debian.org>
Date:   Wed Dec 18 22:09:55 2013 -0500

    uscan: Follow tar's recommended security practices
    
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/changelog | 9 +++++++--
 scripts/uscan.pl | 5 ++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ea2f58f..800b26b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,12 @@
 devscripts (2.12.6+deb7u2) stable-security; urgency=high
 
-  * uscan: Repack the tarball and verify it is a compressed archive without
-    allowing arbitrary code execution.  Fixes CVE-2013-6888.
+  * uscan:
+    + Repack the tarball and verify it is a compressed archive without
+      allowing arbitrary code execution.  Fixes CVE-2013-6888.
+    + Follow tar's recommended security practices
+      - Use --keep-old-files --no-overwrite-dir
+      - Ensure parent directory of directory used for repacking archive isn't
+        accessible to other users.
 
  -- James McCoy <jamessan at debian.org>  Mon, 16 Dec 2013 23:19:38 -0500
 
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index c9c756b..d6c9168 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1403,7 +1403,10 @@ EOF
 	  or die("unzip binary not found. You need to install the package unzip to be able to repack .zip upstream archives.\n");
 
 	my $newfile_base_gz = "$1.tar.gz";
-	my $tempdir = tempdir ( "uscanXXXX", TMPDIR => 1, CLEANUP => 1 );
+	my $tempdir = tempdir ("uscanXXXX", TMPDIR => 1, CLEANUP => 1);
+	# Parent of the target directory should be under our control
+	$tempdir .= '/repack';
+	mkdir $tempdir or uscan_die("Unable to mkdir($tempdir): $!\n");
 	my $absdestdir = abs_path($destdir);
 	system('unzip', '-q', '-a', '-d', $tempdir, "$destdir/$newfile_base") == 0
 	    or uscan_die("Repacking from zip or jar to tar.gz failed (could not unzip)\n");

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list