This bug is due to the file_in() function using os.path.realpath() rather than normpath() to normalise the directory path it tests against.
normpath() resolves '.' and '..' path components without looking at the filesystem. realpath() also resolves symbolic links. We shouldn't resolve symbolic links in the filename because they're useful - and used in the case of /etc/asciidoc/javascripts. Resolving symbolic links before the check doesn't provide any safety against symbolic link attacks, because the result is not cached. The fix is trivial; NMU-diff follows. Ben. diff -u asciidoc-8.2.6/debian/changelog asciidoc-8.2.6/debian/changelog --- asciidoc-8.2.6/debian/changelog +++ asciidoc-8.2.6/debian/changelog @@ -1,3 +1,10 @@ +asciidoc (8.2.6-1.1) unstable; urgency=low + + * Non-maintainer upload + * Fixed normalisation of paths for include safety check (Closes: #487962) + + -- Ben Hutchings <[EMAIL PROTECTED]> Sat, 28 Jun 2008 17:00:52 +0100 + asciidoc (8.2.6-1) unstable; urgency=low * New upstream release (Closes: #478494) only in patch2: unchanged: --- asciidoc-8.2.6.orig/debian/patches/normpath-not-realpath.patch +++ asciidoc-8.2.6/debian/patches/normpath-not-realpath.patch @@ -0,0 +1,11 @@ +--- a/asciidoc.py ++++ b/asciidoc.py +@@ -125,7 +125,7 @@ + else: + assert os.path.isdir(directory) + directory = os.path.abspath(directory) +- fname = os.path.realpath(fname) ++ fname = os.path.normpath(fname) + return os.path.commonprefix((directory, fname)) == directory + + def safe(): --- END --- -- Ben Hutchings Life would be so much easier if we could look at the source code.
signature.asc
Description: Digital signature
