Package: lintian Version: 2.5.12 Severity: normal Hi!
The new (re #705553) “source-contains-unsafe-symlink” tag currently
produces false positives for symlinks starting in ../../ (or otherwise
ascending two or more levels of the directory hierarchy) because the
respective check in the find_cruft function is based on the dirname $_
(the basename of the current file, whose dirname is always ".") instead
of $name (its path relative to the root directory of the source
package). See
<http://snapshot.debian.org/archive/debian/20130505T093307Z/pool/main/i/ikiwiki/ikiwiki_3.20130504.dsc>
for an example of a package with a couple of false positives. The
attached patch seems to do the trick, but I haven’t verified its effects
extensively.
Cheers,
Michael
From 33cee708ddb68990d9ef0258a86be2ae8d43844a Mon Sep 17 00:00:00 2001
From: Michael Schutte <mi...@debian.org>
Date: Fri, 10 May 2013 23:30:10 +0200
Subject: [PATCH] c/cruft: Don't consider all ../../** symlinks unsafe
$_ in find_cruft is set to the basename of the examined file. The
effect of the link destination on basename($_) is currently used in
order to check whether a symlink escapes the root directory of the
source package; this results in false positives for all symlinks moving
up more than one level, as basename($_) is always ".". Base this check
on the full relative path to the file ($name) instead.
diff --git a/checks/cruft b/checks/cruft
index b003ecb..ec079f9 100644
--- a/checks/cruft
+++ b/checks/cruft
@@ -359,7 +359,7 @@ sub find_cruft {
}
if (-l) {
my $target = readlink($_);
- my $dirname = dirname($_);
+ my $dirname = dirname($name);
my $normalized;
# If it is an absolute link, it escapes the root by default
if ($target !~ m{\A / }xsm) {
--
1.7.10.4
signature.asc
Description: Digital signature
