[Reproducible-commits] [dpkg] 03/10: scripts: Add test cases for C-style encoded pathnames in patches
Holger Levsen
holger at layer-acht.org
Tue May 3 08:43:49 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to annotated tag 1.16.15
in repository dpkg.
commit 3295925ac15cc0453195e697a2ddb9275fa75ade
Author: Guillem Jover <guillem at debian.org>
Date: Fri May 2 00:09:43 2014 +0200
scripts: Add test cases for C-style encoded pathnames in patches
Cherry picked from commit dbb9cc36ae606bc5cbdb81baae02b9067913d143.
This covers the directory traversal issues from CVE-2014-0471 and
CVE-2014-3127.
---
debian/changelog | 4 +++
scripts/Makefile.am | 2 ++
scripts/t/Dpkg_Source_Patch.t | 53 +++++++++++++++++++++++++++++++
scripts/t/Dpkg_Source_Patch/c-style.patch | 4 +++
4 files changed, 63 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index acbdb90..cbbbf8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
dpkg (1.16.15) UNRELEASED; urgency=low
+ [ Guillem Jover ]
+ * Test suite:
+ - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
+
[ Updated scripts translations ]
* German (Helge Kreutzmann).
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 363eaf3..35e2818 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -191,6 +191,7 @@ test_cases = \
t/500_Dpkg_Path.t \
t/600_Dpkg_Changelog.t \
t/600_Dpkg_Changelog_Ubuntu.t \
+ t/Dpkg_Source_Patch.t \
t/700_Dpkg_Control.t \
t/750_Dpkg_Substvars.t \
t/800_Dpkg_IPC.t \
@@ -223,6 +224,7 @@ test_data = \
t/200_Dpkg_Shlibs/objdump.libc6-2.6 \
t/200_Dpkg_Shlibs/objdump.dbd-pg \
t/200_Dpkg_Shlibs/objdump.ls \
+ t/Dpkg_Source_Patch/c-style.patch \
t/600_Dpkg_Changelog/countme \
t/600_Dpkg_Changelog/fields \
t/600_Dpkg_Changelog/misplaced-tz \
diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
new file mode 100644
index 0000000..0634c8d
--- /dev/null
+++ b/scripts/t/Dpkg_Source_Patch.t
@@ -0,0 +1,53 @@
+#!/usr/bin/perl
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+use strict;
+use warnings;
+
+use Test::More tests => 3;
+
+use File::Path qw(make_path);
+
+BEGIN {
+ use_ok('Dpkg::Source::Patch');
+}
+
+my $srcdir = $ENV{srcdir} || '.';
+my $datadir = $srcdir . '/t/Dpkg_Source_Patch';
+my $tmpdir = 't.tmp/Dpkg_Source_Patch';
+
+sub test_patch_escape {
+ my ($name, $symlink, $patchname, $desc) = @_;
+
+ make_path("$tmpdir/$name-tree");
+ make_path("$tmpdir/$name-out");
+ symlink "../$name-out", "$tmpdir/$name-tree/$symlink";
+
+ my $patch = Dpkg::Source::Patch->new(filename => "$datadir/$patchname");
+ eval {
+ $patch->apply("$tmpdir/$name-tree", verbose => 0);
+ };
+ ok(rmdir "$tmpdir/$name-out", $desc);
+}
+
+# This is CVE-2014-0471 with GNU patch >= 2.7
+test_patch_escape('c-style-parsed', "\tmp", 'c-style.patch',
+ 'Patch cannot escape using known c-style encoded filename');
+
+# This is CVE-2014-0471 with GNU patch < 2.7
+test_patch_escape('c-style-unknown', '\\tmp', 'c-style.patch',
+ 'Patch cannot escape using unknown c-style encoded filename');
+
+1;
diff --git a/scripts/t/Dpkg_Source_Patch/c-style.patch b/scripts/t/Dpkg_Source_Patch/c-style.patch
new file mode 100644
index 0000000..290a640
--- /dev/null
+++ b/scripts/t/Dpkg_Source_Patch/c-style.patch
@@ -0,0 +1,4 @@
+--- /dev/null
++++ "b/\tmp/c-style"
+@@ -0,0 +1 @@
++Escaped
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list