[devscripts] 01/01: uupdate: Avoid patching through symlinks for 1.0 source format

James McCoy jamessan at debian.org
Sat Oct 11 04:18:58 UTC 2014 

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit 0fef671831e667a2abfe459d47589d6ea4eee32b
Author: James McCoy <jamessan at debian.org>
Date:   Sat Oct 11 00:19:55 2014 -0400

    uupdate: Avoid patching through symlinks for 1.0 source format
    
    Closes: #737160
    Closes: CVE-2014-1833
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/changelog   |  6 ++++++
 scripts/uupdate.sh | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 74d70f2..2cfbacb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,12 @@ devscripts (2.14.8) UNRELEASED; urgency=medium
       with a web page containing a <meta refresh=...> redirect to the actual
       file, causing uscan to save the web page rather than the file.  (Closes:
       #764367)
+  * uupdate: When updating a 1.0 source format package, remove any symlinks in
+    the new upstream source before applying the Debian diff, restoring the
+    symlinks after.  This prevents patch from following the symlinks, which
+    may point to targets outside of the source tree, when applying the diff.
+    Thanks to Jakub Wilk for the discovery and suggested fix.
+    (Closes: #737160, CVE-2014-1833)
 
   [ Ron Lee ]
   * cowpoke: Add --sign and --upload command line overrides.
diff --git a/scripts/uupdate.sh b/scripts/uupdate.sh
index 7bc36da..d24458a 100755
--- a/scripts/uupdate.sh
+++ b/scripts/uupdate.sh
@@ -779,6 +779,14 @@ else
 	    done
 	fi
 
+	# Remove all existing symlinks before applying the patch.  We'll
+	# restore them afterwards, but this avoids patch following symlinks,
+	# which may point outside of the source tree
+	declare -a LINKS
+	while IFS= read -d '' -r link; do
+	    LINKS+=("$link")
+	done < <(find -type l -printf '%l\0%p\0' -delete)
+
 	if $DIFFCAT $DIFF | patch -sNp1 ; then
 	    echo "Success!  The diffs from version $VERSION worked fine."
 	else
@@ -790,6 +798,16 @@ else
 	    STATUS=1
 	fi
 
+	# Reinstate symlinks, warning if the
+	for (( i=0; $i < ${#LINKS[@]}; i=$(($i+2)) )); do
+	    target="${LINKS[$i]}"
+	    link="${LINKS[$(($i+1))]}"
+	    if ! ln -s -T "$target" "$link"; then
+		echo "$PROGNAME: warning: Unable to restore the '$link' -> '$target' symlink." >&2
+		STATUS=1
+	    fi
+	done
+
 	for file in "${MOVEDFILES[@]}"; do
 	    if [ -e "$file.upstream" ]; then
 		mv $file $file.debdiff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list