[devscripts] Add fix for rhbz#1040266: fix arbitrary code execution in uscan

Sandro Mani smani at fedoraproject.org
Wed Dec 11 09:21:19 UTC 2013


commit 227633d2f352b4558c283ee27b2b5eabda94568e
Author: Sandro Mani <manisandro at gmail.com>
Date:   Wed Dec 11 10:21:17 2013 +0100

    Add fix for rhbz#1040266: fix arbitrary code execution in uscan

 devscripts.spec        |    9 ++++++++-
 devscripts_uscan.patch |   22 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletions(-)
---
diff --git a/devscripts.spec b/devscripts.spec
index b466fe2..798b514 100644
--- a/devscripts.spec
+++ b/devscripts.spec
@@ -1,6 +1,6 @@
 Name:           devscripts
 Version:        2.13.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Scripts for Debian Package maintainers
 
 License:        GPLv2+
@@ -12,6 +12,8 @@ Patch0:         devscripts_docbook.patch
 Patch1:         devscripts_install-layout.patch
 # Install some additional man pages
 Patch2:         devscripts_install-man.patch
+# Fix arbitrary command execution when using USCAN_EXCLUSION
+Patch3:         devscripts_uscan.patch
 
 # rpmdevtools < 8.4 bundled some of the scripts provided by this package
 Conflicts:      rpmdevtools < 8.4
@@ -54,6 +56,7 @@ This package contains the following subset of the devscripts scripts:
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 # Search for libvfork in %%{_libdir}/%%{name}
 sed -i 's|/usr/lib/devscripts/libvfork.so.0|%{_libdir}/%{name}/libvfork.so.0|g' scripts/dpkg-depcheck.pl
@@ -94,6 +97,10 @@ rm -rf %{buildroot}%{_datadir}/doc
 
 
 %changelog
+* Wed Dec 11 2013 Sandro Mani <manisandro at gmail.com> - 2.13.5-2
+- Add upstream patch to fix arbitrary command execution when using
+  USCAN_EXCLUSION (rhbz#1040266, debian#731849)
+
 * Thu Dec 05 2013 Sandro Mani <manisandro at gmail.com> - 2.13.5-1
 - Update to 2.13.5
 
diff --git a/devscripts_uscan.patch b/devscripts_uscan.patch
new file mode 100644
index 0000000..a3ba4b0
--- /dev/null
+++ b/devscripts_uscan.patch
@@ -0,0 +1,22 @@
+diff -rupN devscripts-2.13.5/scripts/uscan.pl devscripts-2.13.5-new/scripts/uscan.pl
+--- devscripts-2.13.5/scripts/uscan.pl	2013-12-05 04:27:55.000000000 +0100
++++ devscripts-2.13.5-new/scripts/uscan.pl	2013-12-11 10:17:12.715256802 +0100
+@@ -2171,12 +2171,12 @@ sub get_main_source_dir($$$$) {
+     foreach my $file (@files) {
+ 	unless ($file =~ /^\.\.?/) {
+ 	    if ( -d "${tempdir}/$file" ) {
+-                # HELP: why can't perl move not move directories????
+-                system( "mv ${tempdir}/$file $main_source_dir" ) ;
+-            } else {
+-                move("${tempdir}/$file", $main_source_dir) or die("Unable to move ${tempdir}/$file directory $main_source_dir\n");
+-            }
+-        }
++		# HELP: why can't perl move not move directories????
++		system('mv', "${tempdir}/$file", $main_source_dir);
++	    } else {
++		move("${tempdir}/$file", $main_source_dir) or die("Unable to move ${tempdir}/$file directory $main_source_dir\n");
++	    }
++	}
+     }
+     return $main_source_dir;
+ }


More information about the scm-commits mailing list