[devscripts] 01/02: licensecheck: Separate filename from args in file call
James McCoy
jamessan at debian.org
Sun Aug 2 13:09:20 UTC 2015
This is an automated email from the git hooks/post-receive script.
jamessan pushed a commit to branch master
in repository devscripts.
commit d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2
Author: James McCoy <jamessan at debian.org>
Date: Sun Aug 2 09:03:43 2015 -0400
licensecheck: Separate filename from args in file call
This prevents the situation where $file happens to be a valid switch
for the file command (e.g. -C) which causes side-effects. If properly
setup, it's possible to cause file to traverse a symlink and overwrite a
file.
Closes: #794365, CVE-2015-5705
Signed-off-by: James McCoy <jamessan at debian.org>
---
debian/changelog | 8 ++++++++
scripts/licensecheck.pl | 2 +-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 87ea8d3..71f2afa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+devscripts (2.15.8) UNRELEASED; urgency=medium
+
+ * licensecheck:
+ + Avoid argument injection which may cause file to overwrite a file
+ through symlink indirection. (Closes: #794365, CVE-2015-5705)
+
+ -- James McCoy <jamessan at debian.org> Sun, 02 Aug 2015 08:56:00 -0400
+
devscripts (2.15.7) unstable; urgency=medium
* licensecheck:
diff --git a/scripts/licensecheck.pl b/scripts/licensecheck.pl
index 358dc35..78d9fd7 100755
--- a/scripts/licensecheck.pl
+++ b/scripts/licensecheck.pl
@@ -323,7 +323,7 @@ while (@files) {
# Encode::Guess does not work well, use good old file command to get file encoding
my $mime;
- spawn(exec => ['file', '--brief', '--mime', '--dereference', $file],
+ spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],
to_string => \$mime,
error_to_file => '/dev/null',
nocheck => 1,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git
More information about the devscripts-devel
mailing list