licensecheck: Separate filename from args in file call

This prevents the situation where $file happens to be a valid switch
for the file command (e.g. -C) which causes side-effects.  If properly
setup, it's possible to cause file to traverse a symlink and overwrite a
file.

Closes: #794365, CVE-2015-5705
Signed-off-by: James McCoy's avatarJames McCoy <jamessan@debian.org>
parent 55a22e00
devscripts (2.15.8) UNRELEASED; urgency=medium
* licensecheck:
+ Avoid argument injection which may cause file to overwrite a file
through symlink indirection. (Closes: #794365, CVE-2015-5705)
-- James McCoy <jamessan@debian.org> Sun, 02 Aug 2015 08:56:00 -0400
devscripts (2.15.7) unstable; urgency=medium
* licensecheck:
......
......@@ -323,7 +323,7 @@ while (@files) {
# Encode::Guess does not work well, use good old file command to get file encoding
my $mime;
spawn(exec => ['file', '--brief', '--mime', '--dereference', $file],
spawn(exec => ['file', '--brief', '--mime', '--dereference', '--', $file],
to_string => \$mime,
error_to_file => '/dev/null',
nocheck => 1,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment