[devscripts] 02/03: uscan: Follow tar's recommended security practices
James McCoy
jamessan at debian.org
Mon Dec 23 20:46:20 UTC 2013
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch wheezy
in repository devscripts.
commit c05410d62cd20fc3daba67de3f6a2b54086aaedc
Author: James McCoy <jamessan at debian.org>
Date: Wed Dec 18 22:09:55 2013 -0500
uscan: Follow tar's recommended security practices
Signed-off-by: James McCoy <jamessan at debian.org>
---
debian/changelog | 9 +++++++--
scripts/uscan.pl | 5 ++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index ea2f58f..800b26b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,12 @@
devscripts (2.12.6+deb7u2) stable-security; urgency=high
- * uscan: Repack the tarball and verify it is a compressed archive without
- allowing arbitrary code execution. Fixes CVE-2013-6888.
+ * uscan:
+ + Repack the tarball and verify it is a compressed archive without
+ allowing arbitrary code execution. Fixes CVE-2013-6888.
+ + Follow tar's recommended security practices
+ - Use --keep-old-files --no-overwrite-dir
+ - Ensure parent directory of directory used for repacking archive isn't
+ accessible to other users.
-- James McCoy <jamessan at debian.org> Mon, 16 Dec 2013 23:19:38 -0500
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index c9c756b..d6c9168 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1403,7 +1403,10 @@ EOF
or die("unzip binary not found. You need to install the package unzip to be able to repack .zip upstream archives.\n");
my $newfile_base_gz = "$1.tar.gz";
- my $tempdir = tempdir ( "uscanXXXX", TMPDIR => 1, CLEANUP => 1 );
+ my $tempdir = tempdir ("uscanXXXX", TMPDIR => 1, CLEANUP => 1);
+ # Parent of the target directory should be under our control
+ $tempdir .= '/repack';
+ mkdir $tempdir or uscan_die("Unable to mkdir($tempdir): $!\n");
my $absdestdir = abs_path($destdir);
system('unzip', '-q', '-a', '-d', $tempdir, "$destdir/$newfile_base") == 0
or uscan_die("Repacking from zip or jar to tar.gz failed (could not unzip)\n");
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git
More information about the devscripts-devel
mailing list