Bug #1169636 “lintian: CVE-2013-1429 - path traversal/informatio...” : Bugs : Lintian

Niels Thykier (niels-thykier) on 2013-04-16

information type:

Private Security → Public Security

Revision history for this message

Niels Thykier (niels-thykier) wrote on 2013-04-16:

#1

tarball of patches for 2.5.6ish Edit (14.5 KiB, application/x-tar)

Attached is a tarball containing a set of patches for fixing this in 2.5.6.

For Lintian 2.5.10.X, the patches can be pulled from upstream's git repository via:
git show 2.5.10.4..2.5.10.5

For Lintian 2.5.11:
git show a5680cc4f7ca733f83a16c9bff0e0fa10525c46e..751dee4653e5960ca03f3164c15bb849a85fc976

For Lintian 2.4.3:
git show 8a6f1682051c39ecc0088acb194ea7754b23a553..ddd524862684bbbc3b6c045b400dd7e5767c5935

~Niels

Bug Watch Updater (bug-watch-updater) on 2013-04-16

Changed in lintian:
status:	Unknown → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-05-04:

#2

Download full text (17.2 KiB)

This bug was fixed in the package lintian - 2.5.12ubuntu1

---------------
lintian (2.5.12ubuntu1) saucy; urgency=low

  * Sync from Debian experimental and drop all previous Ubuntu changes,
    applied upstream. (LP: #1173896)
    - Fixes CVE-2013-1429: path traversal/information disclosure.
      (LP: #1169636)
  * Cherry-pick from upstream:
    - vendors/ubuntu/main/data/changes-file/known-dists:
      + [NT] Add "saucy" as known Ubuntu distribution. Thanks to
        Iain Lane for the report.

lintian (2.5.12) experimental; urgency=medium

  * Summary of tag changes:
    + Added:
      - ambiguous-paragraph-in-dep5-copyright
      - binary-file-built-without-LFS-support
      - debian-tests-control-is-not-a-regular-file
      - debian-tests-control-uses-national-encoding
      - debug-file-with-no-debug-symbols
      - desktop-entry-lacks-keywords-entry
      - dir-or-file-in-build-tree
      - dir-or-file-in-etc-opt
      - dir-or-file-in-home
      - file-name-is-not-valid-UTF-8
      - font-adobe-copyrighted-fragment-no-credit
      - font-package-not-multi-arch-foreign
      - illegal-runtime-test-name
      - inconsistent-testsuite-field
      - license-problem-gfdl-invariants
      - license-problem-gfdl-invariants-empty
      - menu-icon-uses-relative-path
      - missing-runtime-test-file
      - missing-runtime-tests-field
      - package-contains-broken-symlink-wildcard
      - package-contains-unsafe-symlink
      - runtime-test-file-is-not-a-regular-file
      - source-contains-unsafe-symlink
      - unknown-runtime-tests-feature
      - unknown-runtime-tests-field
      - unknown-runtime-tests-restriction
      - unknown-testsuite
      - vcs-field-bitrotted
      - vcs-git-uses-invalid-user-uri
      - zip-parse-error
    + Removed:
      - unneeded-build-dep-on-quilt

  * checks/*:
    + [NT] Avoid following unsafe symlinks. (CVE-2013-1429)
  * checks/binaries{,.desc}:
    + [NT] Accept libx32 as a bi-arch directory.
    + [NT] Correct reference policy reference. Thanks to
      Samuel Bronson for the correction. (Closes: #698234)
    + [NT] Detect debug ELF binaries with no debug symbols.
      Thanks to Nelson A. de Oliveira for the report.
      (Closes: #668437)
    + [NT] Check for binaries built without LFS. This can
      only be checked for 32bit binaries as 64bit binaries
      have LFS by definition. Thanks to Guillem Jover for
      the report and patches. (Closes: #670963)
    + [NT] Apply patch from Samuel Bronson to bump severity
      (but decrease certainty) of the "not linked against
      libc" tags. (Closes: #698720)
  * checks/copyright:
    + [NT] Apply patch from Evgeni Golov to avoid false
      positive tag when the MPL-2.0 license appears in the
      copyright file. (See #626454)
  * checks/cruft{,.desc}:
    + [NT] Do not emit the license-problem-json-evil tag for
      non-free packages.
    + [NT] Apply patch from Bastien Roucariès to catch GFDL
      licenses with invariants (etc.). (Closes: #695967)
    + [NT] Correct description of an autotools tag. Thanks
      to Alberto Garcia and Timo Juhani Lindfors for the
      report and patch. (Closes: #703490)
    + [NT] Check for unsafe...

This bug was fixed in the package lintian - 2.5.12ubuntu1

---------------
lintian (2.5.12ubuntu1) saucy; urgency=low

* Sync from Debian experimental and drop all previous Ubuntu changes,
    applied upstream. (LP: #1173896)
    - Fixes CVE-2013-1429: path traversal/information disclosure.
      (LP: #1169636)
  * Cherry-pick from upstream:
    - vendors/ubuntu/main/data/changes-file/known-dists:
      + [NT] Add "saucy" as known Ubuntu distribution.  Thanks to
        Iain Lane for the report.

lintian (2.5.12) experimental; urgency=medium

* Summary of tag changes:
    + Added:
      - ambiguous-paragraph-in-dep5-copyright
      - binary-file-built-without-LFS-support
      - debian-tests-control-is-not-a-regular-file
      - debian-tests-control-uses-national-encoding
      - debug-file-with-no-debug-symbols
      - desktop-entry-lacks-keywords-entry
      - dir-or-file-in-build-tree
      - dir-or-file-in-etc-opt
      - dir-or-file-in-home
      - file-name-is-not-valid-UTF-8
      - font-adobe-copyrighted-fragment-no-credit
      - font-package-not-multi-arch-foreign
      - illegal-runtime-test-name
      - inconsistent-testsuite-field
      - license-problem-gfdl-invariants
      - license-problem-gfdl-invariants-empty
      - menu-icon-uses-relative-path
      - missing-runtime-test-file
      - missing-runtime-tests-field
      - package-contains-broken-symlink-wildcard
      - package-contains-unsafe-symlink
      - runtime-test-file-is-not-a-regular-file
      - source-contains-unsafe-symlink
      - unknown-runtime-tests-feature
      - unknown-runtime-tests-field
      - unknown-runtime-tests-restriction
      - unknown-testsuite
      - vcs-field-bitrotted
      - vcs-git-uses-invalid-user-uri
      - zip-parse-error
    + Removed:
      - unneeded-build-dep-on-quilt

* checks/*:
    + [NT] Avoid following unsafe symlinks.  (CVE-2013-1429)
  * checks/binaries{,.desc}:
    + [NT] Accept libx32 as a bi-arch directory.
    + [NT] Correct reference policy reference.  Thanks to
      Samuel Bronson for the correction.  (Closes: #698234)
    + [NT] Detect debug ELF binaries with no debug symbols.
      Thanks to Nelson A. de Oliveira for the report.
      (Closes: #668437)
    + [NT] Check for binaries built without LFS.  This can
      only be checked for 32bit binaries as 64bit binaries
      have LFS by definition.  Thanks to Guillem Jover for
      the report and patches.  (Closes: #670963)
    + [NT] Apply patch from Samuel Bronson to bump severity
      (but decrease certainty) of the "not linked against
      libc" tags.  (Closes: #698720)
  * checks/copyright:
    + [NT] Apply patch from Evgeni Golov to avoid false
      positive tag when the MPL-2.0 license appears in the
      copyright file.  (See #626454)
  * checks/cruft{,.desc}:
    + [NT] Do not emit the license-problem-json-evil tag for
      non-free packages.
    + [NT] Apply patch from Bastien Roucariès to catch GFDL
      licenses with invariants (etc.).  (Closes: #695967)
    + [NT] Correct description of an autotools tag.  Thanks
      to Alberto Garcia and Timo Juhani Lindfors for the
      report and patch.  (Closes: #703490)
    + [NT] Check for unsafe symlinks (outside common testsuite
      paths).
  * checks/debconf:
    + [NT] Fix several path traversal issues that could leak
      information about the host system.  (CVE-2013-1429)
  * checks/debhelper{,.desc}:
    + [JW] Assume the proper python helpers are called if a
      (Makefile) variable is used.  (Closes: #659335)
    + [JW] Promote python-depends-but-no-python-helper and
      python3-depends-but-no-python3-helper to non-experimental.
  * checks/description:
    + [NT] Ignore "extended-description-is-probably-too-short"
      for metapackages.  Thanks to Axel Beckert for the
      report.
  * checks/duplicate-files.desc:
    + [NT] Demote severity of "duplicate-files" tag to pedantic.
  * checks/fields{,.desc}:
    + [NT] Apply patch from Samuel Bronson to detect some
      broken or poor Vcs URLs.  Also thanks to James McCoy for
      his report.  (Closes: #652595)
    + [JW] Reduce severity of b-d-on-python-dev-with-no-arch-any
      to minor.
    + [NT] Skip "depends-on-packaging-dev" for metapackages.
    + [NT] Apply patch from Gregor Herrmann to catch metacpan
      homepage links with versions.  (Closes: #700110)
    + [NT] Apply patch from Vasudev Kamath to detect fonts
      packages without a Multi-Arch foreign (or allowed) field.
      (Closes: #701061)
  * checks/files{,.desc}:
    + [NT] Apply patch from Bastien Roucariès to catch paths
      in (common) build dirs.  (Closes: #678857)
    + [NT] Do not suggest the use of "virtual package" as a way
      to suppress empty-binary-package.  Lintian will still
      accept it the phrase for now.
    + [NT] Accept libx32 as an bi-arch directory.
    + [NT] Ignore gzipped lintian overrides when checking whether
      a package is empty.
    + [NT] Fix typo of Pre-Depends, thanks to Raúl Benencia for
      spotting it.  (Closes: #699452)
    + [NT] Add patch from Bastien Roucariès to check for another
      adobe font license issues.  (Closes: #705175)
    + [NT] Test for use of file names that are contain invalid
      UTF-8 byte sequences.  Thanks to Helmut Grohne for the
      suggestion.  (Closes: #704446)
  * checks/init.d:
    + [NT] Fix regression where Lintian would not properly match
      init.d passed to update-rc.d.  Thanks to Michael Meskes for
      reporting.  (Closes: #698602)
    + [NT] Fix possible symlink traversal that could leak
      information about the host system.  (CVE-2013-1429)
  * checks/java{,.desc}:
    + [NT] Report possibly broken jar files.
  * checks/md5sums:
    + [NT] Fix path traversal issue that could leak information
      about the host system.
  * checks/menu-format{,.desc}:
    + [NT] Apply patch from Bastien Roucariès to detect missing
      "Keywords" in desktop files.  Thanks to Jeremy Bicha for
      the report.  (Closes: #693918)
    + [NT] Apply patch from Matthias Klumpp to add missing
      "Science" category.  (Closes: #697693)
    + [NT] Apply patch from Thomas Preud'homme to detect uses of
      relative icons in menu files.  (Closes: #697916)
    + [NT] Document why only XPM are allowed in the tag description
      of menu-icon-not-in-xpm-format.  (Closes: 591812)
  * checks/menus:
    + [NT] Fix path traversal issue that could leak information
      about the host system.  (CVE-2013-1429)
  * checks/patch-systems{,.desc}:
    + [NT] Retire unneeded-build-dep-on-quilt, it is only a pedantic
      tag and apparently not too accurate.  Thanks to Charles Plessy
      and Frank Kuester for the reports.  (Closes: #615516, #681061)
  * checks/po-debconf:
    + [NT] Unconditionally set INTLTOOL_EXTRACT.
  * checks/rules:
    + [NT] Remove ant1.7 as alternative to ant as ant1.7 has been
      removed from Wheezy.
  * checks/scripts:
    + [NT] Treat scripts in /usr/src/ like they were documentation.
  * checks/shared-libs:
    + [NT] Special case gcc packages when looking for dev symlinks.
      gcc stores its dev symlinks in some special directories.
    + [NT] Fix path traversal issue that could leak information
      about the host system.  (CVE-2013-1429)
  * checks/source-copyright{,.desc}:
    + [JW,NT] Add a separate tag for ambiguous DEP-5 paragraphs,
      where Lintian cannot reliably figure out what is intended.
      Thanks to Julian Taylor for the report.  (Closes: #652380)
    + [NT] Add paragraph line number to the "field typo" tag.
  * checks/symlinks{,.desc}:
    + [NT] Warn about broken symlinks that contains a literal "*"
      in their target.  This is usually a sign that a wildcard did
      not properly expand.  Thanks to Bernd Zeimetz for the report.
      (Closes: #683737)
    + [NT] Demote certainty of package-contains-broken-symlink to
      wild-guess.
    + [NT] Check for unsafe symlinks in binary packages.
  * checks/testsuite{,.desc}:
    + [NT] New check written by Nicolas Boulenguez to catch some
      mistakes with the new autopkgtest tests.

* collection/*:
    + [NT] Avoid reading files outside the package root.
      (CVE-2013-1429)
  * collection/{changelog-file,debian-readme}:
    + [NT] Ignore files in usr/doc/<pkg>.
    + [NT] Skip collection if usr/share/doc/<pkg> is not contained
      within the package root.  (CVE-2013-1429)
  * collection/hardening-info{,-helper,.desc}:
    + [NT] Whitelist "memset" and "memmove" as "always safe"
      functions.  Thanks to Sebastian Ramacher for the suggestion
      and Roland Stigge for the report.  (Closes: #685299)
    + [NT] Remove work around for #677530
  * collection/index{,.desc}:
    + [NT] Fix missing trailing slash on dirnames and bump index
      version accordingly.  Thanks to Nicolas Boulenguez for
      noticing.
  * collection/java-info:
    + [NT] Gracefully handle broken Jar files.  Thanks to Paul
      Tagliamonte for the report.  (Closes: #700543)
  * collection/strings:
    + [NT] Fix a regression in filtering out "debug" ELF binaries.

* data/binaries/arch-regex:
    + [NT] Recognise x32 as an ELF32 binary.
  * data/fields/obsolete-packages:
    + [NT] Apply patch from Guillem Jover to add fuse-utils as an
      obsolete package.  (Closes: #697534)
  * data/files/locale-codes:
    + [NT] Refresh against sid data files.
  * data/menu-format/add-categories:
    + [NT] Apply patch from Matthias Klumpp to add missing
      subcategories.
  * data/output/manual-references:
    + [NT] Refresh with Policy 3.9.4.
  * data/scripts/interpreter:
    + [NT] Add cfagent as a known interpreter.  Thanks to Andreas
      Mundt for the suggestion.  (Closes: #699670)
  * data/scripts/versioned-interpreters:
    + [NT] Apply patch from Thijs Kinkhorst to add lua5.2 as a
      versioned alternative to lua.  (Closes: #698704)
  * data/shared-libs/ldconfig-dirs:
    + [NT] Add libx32 and usr/libx32 used by some gcc x32 bi-arch
      packages.
  * data/spelling/corrections{,-case}:
    + [JW] Add correction for "privileges".  (Closes: #700882)
    + [NT] Warn about incorrect case of "OpenStreetMap".  Thanks
      to Paul Wise for the patch.

* debian/control:
    + [NT] Bump dependency on hardening-includes to avoid having
      to work around #677530.
    + [NT] Add XS-Testsuite for autopkgtest tests.
    + [NT] Add Build-Depends on libtest-perl-critic-perl.
    + [NT] Add (Build-)Depends on liblist-moreutils-perl and
      libfile-basedir-perl.
    + [NT] Add versioned (Build)-Depends on perl | libautodie-perl.
  * debian/lintian.install:
    + [NT] Install Test::Lintian in /usr/share/lintian/lib.
  * debian/rules:
    + [NT] Include the new Tutorial pods in the "api-doc" target.
  * debian/tests/{control,testsuite,testsuite-legacy}:
    + [NT] New file.

* doc/tutorial/Lintian/Tutorial{/WritingChecks}.pod:
    + [NT] Add POD tutorial on writing checks.

* frontend/lintian{,-info}:
    + [NT] Add --include-dir command line option.  This can be used
      to load additional Lintian checks, profiles, libraries or data.
      (Closes: #359059)
  * frontend/lintian:
    + [NT] Remove "make-shift" lab-query support now that
      Lintian::Lab supports it.
    + [NT] Add new command line option "--[no-]user-dirs" to disable
      loading from $HOME/.lintian{rc,/} and /etc/lintian{rc,/}.
    + [NT] Error out early if a check cannot be loaded.
    + [NT] Make --suppress-tags{,--from-file} do something when used
      with --check-part and document that --tags causes the option
      to be ignored.
    + [NT] Accept the magic token "{VENDOR}" as a part of the value
      to --profile.
    + [NT] Add new command line option "--ignore-lintian-env" to make
      lintian ignore all environment variables starting with LINTIAN_.
    + [NT] Add a new command line option --no-display-experimental
      and --default-display-level.  These options can be used to
      override some display options from the config file.
      (Closes: #703985)
    + [NT] Also search for the lintianrc file in XDG_CONFIG_{HOME,DIRS}.
      The default paths are now ~/.config/lintian/lintianrc and
      /etc/xdg/lintian/lintianrc.  The previous lintianrc paths are
      still accepted.
    + [NT] Stop looking for lintianrc files in the LINTIAN_ROOT.
    + [NT] Stop exporting LINTIAN_LAB to processes run by lintian.
    + [NT] Use of --root (or setting LINTIAN_ROOT) will now imply
      the option --no-user-dirs by default.

* lib/*:
    + [NT] Use "parent" instead of the "base" pragma.
  * lib/Lintian/Collect.pm:
    + [NT] Add "is_non_free" method to easily check of a given
      package appears to be non-free.
  * lib/Lintian/Collect/Binary.pm:
    + [NT] Re-instate the "TEXTREL" marker.  This fixes a regression
      where shared-libs compiled without pic was not reported.
      Thanks to Dmitry Shachnev for the assistance in debugging this.
    + [NT] Recognise packages in section "metapackages" as a
      metapackage.  Thanks to Axel Beckert for the report.
      (Closes: #698610)
  * lib/Lintian/Collect/Package.pm:
    + [NT] Ensure the "root" entry of indices do not contain itself.
      (Closes: #695866)
    + [NT] Add warning to unpacked and debfiles when they are given a
      path with leading slash or dot-slash.
    + [NT] When a check requests access to a raw file (or dir) in the
      package, ensure that the resulting path does not "escape" the
      top level directory.  This should preemptively guard against some
      (but not all) traversal attempts.
  * lib/Lintian/Path.pm:
    + [NT] Document that link_resolved is not sufficient to test the
      "safeness" of a symlink.
  * lib/Lintian/Command/Simple.pm:
    + [NT] Use constant time lookup access instead of linear scan with
      "hashref" wait.
  * lib/Lintian/Lab.pm:
    + [NT] Add lab_query method to handle lab-queries directly.
    + [NT] Fix bitrot of repair_lab and rename it to repair for
      consistency.
  * lib/Lintian/Lab{,/Manifest}.pm:
    + [NT] Add support for grouping of manifests.
  * lib/Lintian/Lab/Manifest.pm:
    + [NT] Fix an error in visit_all when sufficient keys for an
      exact look up was given.
  * lib/Lintian/Processable.pm:
    + [NT] Fix issue where packages loaded from the lab indices would
      sometimes get a wrong source-version.
  * lib/Lintian/Relation/Version.pm:
    + [NT] Add and export "versions_comparator" that can be used for
      sorting purposes.
  * lib/Lintian/Tag/Info.pm:
    + [NT] Use "&amp;" in the manpage ref URLs to generate proper HTML.
      Thanks to Vasudev Kamath for reporting the issue.
    + [NT] Produce a more helpful error message when a tag has an
      invalid severity or certainty.  (Closes: #703978)
  * lib/Lintian/Tags.pm:
    + [NT] Deal with parsing an ambiguous override a bit better.  This
      solves false-positive malformed-override, where Lintian misparsed
      the tag name as a package name.  (Closes: #699628)
  * lib/Lintian/Util.pm:
    + [NT] Reject partially signed Deb822 files.  Most Deb822 files
      are not signed at all; but those that are should be completely
      covered by a signature.  (Closes: #696230)
    + [ADB] Fix a typo in the matching of expected delimiters for some
      signed messages; thanks Samuel Bronson.
    + [NT] Add sub to check if a path is contained within a given dir.
    + [NT] Fix bug in resolve_pkg_path that made it resolve some links
      incorrectly.
    + [NT] Document that resolve_pkg_path is not sufficient to test the
      "safeness" of a symlink.

* man/lintian.pod.in:
    + [NT] Document that --pedantic is the same as "-L +=pedantic".
      (Closes: #703989)
    + [NT] Fix typo of the "override" variable in the config example.

* private/refresh-locale-codes:
    + [JW,NT] Ignore the "zxx" locale code, which means "No
      linguistic content".  (Closes: #692548)

* reporting/config:
    + [JP] Remove unused $GRAPH_DIR configuration option.
  * reporting/graphs/{statistics,tags}.gpi:
    + [JP] Tweak graph size to allow longer labels, and force font
      family.
  * reporting/harness:
    + [NT] Add --to-stdout option to emit log information to
      stdout as well as the log files.
    + [NT] Always schedule packages in groups.  Otherwise, binNMU'ed
      binaries would not be tested together with their source
      package (and architecture independent packages).
    + [NT] Schedule groups in chunks (default 512 per chunk).
      This makes the Lintian processes shorter and makes memory
      reclaimable sooner.  (Closes: #695839)
    + [NT] Remove "make-shift" lab-query support now that
      Lintian::Lab supports it.
  * reporting/html_reports:
    + [NT] Update xrefs to include source version.
    + [NT] Generate a text file suitable for Apache's RewriteMap to
      map source packages to the full report for that source.
      Thanks to Joerg "Gannef" Jasper for the suggestion to use
      RewriteMap.  (Closes: #696960)
    + [JP] Fix version labels glitches.
    + [JP] Use global $GRAPHS_RANGE_DAYS.
    + [JP] Pass graph variables to index and tag templates.
  * reporting/lintian.css:
    + [JP] Tweak graph alignment.
  * reporting/templates/{packages,maintainer,tag}.tmpl:
    + [NT] Properly handle multiple versions of the same source and
      add versioned anchors to them.
  * reporting/templates/{index,tag}.tmpl:
    + [JP] Include history graphs in HTML templates.
  * reporting/templates/tag.tmpl:
    + [NT] Fix "empty <ul>" tag when tag has no "extra" information.
      Thanks to Vasudev Kamath for reporting the issue.
 -- Felix Geyer <debfx@ubuntu.com>   Wed, 01 May 2013 13:58:18 +0200

Changed in lintian (Ubuntu):
status:	New → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	Lintian	Fix Released	Unknown	debbugs #705553
	lintian (Ubuntu)	Fix Released	Undecided	Unassigned

Lintian

lintian: CVE-2013-1429 - path traversal/information disclosure

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches