Apply patch to avoid truncating of arbitrary files. Thanks to Bryan

author Otavio Salvador <otavio@ossystems.com.br>

Fri, 23 May 2008 13:07:44 +0000 (10:07 -0300)

committer Otavio Salvador <otavio@ossystems.com.br>

Fri, 23 May 2008 13:07:44 +0000 (10:07 -0300)
author Otavio Salvador <otavio@ossystems.com.br>
Fri, 23 May 2008 13:07:44 +0000 (10:07 -0300)
committer Otavio Salvador <otavio@ossystems.com.br>
Fri, 23 May 2008 13:07:44 +0000 (10:07 -0300)
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc

index 2b7e250..a5976cf 100644 (file)
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -138,7 +138,9 @@ bool CopyFile(FileFd &From,FileFd &To)
     close at some time. */
  int GetLock(string File,bool Errors)
  {
-   int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640);
+   // GetLock() is used in aptitude on directories with public-write access
+   // Use O_NOFOLLOW here to prevent symlink traversal attacks
+   int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640);
     if (FD < 0)
     {
        // Read only .. cant have locking problems there.
diff --git a/debian/changelog b/debian/changelog

index 3f08fda..20f9c6a 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,10 @@ apt (0.7.14) UNRELEASED; urgency=low
    * Brazilian Portuguese updated. Closes: #480561
    * Hungarian updated. Closes: #480662
  
+  [ Otavio Salvador ]
+  * Apply patch to avoid truncating of arbitrary files. Thanks to Bryan
+    Donlan <bdonlan@fushizen.net> for the patch. Closes: #482476
+
   -- Christian Perrier <bubulle@debian.org>  Sun, 04 May 2008 08:31:06 +0200
  
  apt (0.7.13) unstable; urgency=low
author	Otavio Salvador <otavio@ossystems.com.br>
	Fri, 23 May 2008 13:07:44 +0000 (10:07 -0300)
committer	Otavio Salvador <otavio@ossystems.com.br>
	Fri, 23 May 2008 13:07:44 +0000 (10:07 -0300)
apt-pkg/contrib/fileutl.cc		patch \| blob \| blame \| history
debian/changelog		patch \| blob \| blame \| history