Bug#737160: [uupdate] symlink directory traversal
Jakub Wilk
jwilk at debian.org
Thu Jan 30 20:06:38 UTC 2014
Package: devscripts
Version: 2.14.1
Tags: security
A malicious .orig.tar file can trick uupdate into patching files outside
the source package directory. Proof of concept:
$ apt-get source -qq chewmail
gpgv: Signature made Tue Aug 15 08:10:17 2006 CEST using DSA key ID 16D970C6
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on ./chewmail_1.2-1.dsc
dpkg-source: info: extracting chewmail in chewmail-1.2
dpkg-source: info: unpacking chewmail_1.2.orig.tar.gz
dpkg-source: info: applying chewmail_1.2-1.diff.gz
$ cd chewmail-1.2/
$ ls /tmp/*
ls: cannot access /tmp/*: No such file or directory
$ uupdate -v2 /path/to/chewmail-2.tar.gz
New Release will be 2-1.
Symlinking to pristine source from chewmail_2.orig.tar.gz...
-- Untarring the new sourcecode archive /path/to/chewmail-2.tar.gz
Success! The diffs from version 1.2-1 worked fine.
Remember: Your current directory is the OLD sourcearchive!
Do a "cd ../chewmail-2" to see the new package
$ ls /tmp/*
/tmp/changelog /tmp/compat /tmp/control /tmp/copyright /tmp/rules
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chewmail-2.tar.gz
Type: application/octet-stream
Size: 180 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20140130/fd474804/attachment.obj>
More information about the devscripts-devel
mailing list