[Reproducible-commits] [dpkg] 03/04: Dpkg::Source::Package::V3::quilt: sanity check of series file

Holger Levsen holger at layer-acht.org
Tue May 3 08:43:04 UTC 2016 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to annotated tag 1.14.29
in repository dpkg.

commit 9692d7d5953a9859eb83cb5c67538a7ccbe2661a
Author: Raphaël Hertzog <hertzog at debian.org>
Date:   Fri Mar 5 22:07:30 2010 +0100

    Dpkg::Source::Package::V3::quilt: sanity check of series file
    
    A series file should only contain path pointing inside debian/patches/
    and thus "../" are forbidden. Given that the path to patches appear
    in the patch command-line with -B .pc/$path, a carefully crafted
    path could lead patch to overwrite an arbitrary file outside of the
    destination directory with a file provided in the source package.
---
 debian/changelog                        | 3 +++
 scripts/Dpkg/Source/Package/V3/quilt.pm | 1 +
 2 files changed, 4 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b293c8d..3512f0b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ dpkg (1.14.29) UNRELEASED; urgency=low
     modify files outside of the target directory and unpacking a source package
     should not be able to have any side-effect outside of the target
     directory. Fixes CVE-2010-0396.
+  * Also error out when the quilt series contains a path with "/../" as this
+    can cause patch to create files outside of the source package due
+    to the -B .pc/$path option that it gets.
 
  -- Raphael Hertzog <hertzog at debian.org>  Fri, 05 Mar 2010 20:41:39 +0100
 
diff --git a/scripts/Dpkg/Source/Package/V3/quilt.pm b/scripts/Dpkg/Source/Package/V3/quilt.pm
index 56acc71..15343e0 100644
--- a/scripts/Dpkg/Source/Package/V3/quilt.pm
+++ b/scripts/Dpkg/Source/Package/V3/quilt.pm
@@ -111,6 +111,7 @@ sub read_patch_list {
             }
         }
         next if $opts{"skip_auto"} and $_ eq $auto_patch;
+        error(_g("%s contains an insecure path: %s"), $file, $_) if m{(^|/)\.\./};
         push @patches, $_;
     }
     close(SERIES);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list