Commit 0fef6718 authored by James McCoy's avatar James McCoy

uupdate: Avoid patching through symlinks for 1.0 source format

Closes: #737160
Closes: CVE-2014-1833
Signed-off-by: James McCoy's avatarJames McCoy <jamessan@debian.org>
parent fb0e6a67
......@@ -9,6 +9,12 @@ devscripts (2.14.8) UNRELEASED; urgency=medium
with a web page containing a <meta refresh=...> redirect to the actual
file, causing uscan to save the web page rather than the file. (Closes:
#764367)
* uupdate: When updating a 1.0 source format package, remove any symlinks in
the new upstream source before applying the Debian diff, restoring the
symlinks after. This prevents patch from following the symlinks, which
may point to targets outside of the source tree, when applying the diff.
Thanks to Jakub Wilk for the discovery and suggested fix.
(Closes: #737160, CVE-2014-1833)
[ Ron Lee ]
* cowpoke: Add --sign and --upload command line overrides.
......
......@@ -779,6 +779,14 @@ else
done
fi
# Remove all existing symlinks before applying the patch. We'll
# restore them afterwards, but this avoids patch following symlinks,
# which may point outside of the source tree
declare -a LINKS
while IFS= read -d '' -r link; do
LINKS+=("$link")
done < <(find -type l -printf '%l\0%p\0' -delete)
if $DIFFCAT $DIFF | patch -sNp1 ; then
echo "Success! The diffs from version $VERSION worked fine."
else
......@@ -790,6 +798,16 @@ else
STATUS=1
fi
# Reinstate symlinks, warning if the
for (( i=0; $i < ${#LINKS[@]}; i=$(($i+2)) )); do
target="${LINKS[$i]}"
link="${LINKS[$(($i+1))]}"
if ! ln -s -T "$target" "$link"; then
echo "$PROGNAME: warning: Unable to restore the '$link' -> '$target' symlink." >&2
STATUS=1
fi
done
for file in "${MOVEDFILES[@]}"; do
if [ -e "$file.upstream" ]; then
mv $file $file.debdiff
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment