diff -Nru devscripts-2.11.3ubuntu1/debian/changelog devscripts-2.11.4ubuntu1/debian/changelog --- devscripts-2.11.3ubuntu1/debian/changelog 2012-01-24 18:54:54.000000000 +0000 +++ devscripts-2.11.4ubuntu1/debian/changelog 2012-02-16 02:15:49.000000000 +0000 @@ -1,3 +1,75 @@ +devscripts (2.11.4ubuntu1) precise; urgency=low + + * Merge from Debian unstable (LP: #933148), remaining changes: + - Demote Recommends to Suggests: + + libcrypt-ssleay-perl: only needed for a corner case (uscan on SSL + download sites), wasn't installed by default in previous releases + either, and seems quite dead upstream; universe only. + + debian-keyring: not useful enough in Ubuntu; universe only. + + equivs: too much of a hack to install by default; universe only. + + libsoap-lite-perl: only needed for one less common command ("select") + for bts, which isn't useful for Ubuntu itself, and pulls in a lot of + other universe Perl libraries; universe only. + - scripts/debchange.{pl,1}: + + Adjust --security template for Ubuntu. + + Add -U/--upstream flag that forces original "just increment + the end" behaviour; Ubuntu is upstream for some pieces of software. + + Add --distributor= and DEBCHANGE_DISTRIBUTOR to override lsb_release + output. + + Default to "precise" as distribution. + + Add "ubuntu1" to version string for new versions, with tweaks for + special cases. + + Add -R/--rebuild flag for Ubuntu's no-change rebuilds. + + Don't use the last distribution in debian/changelog when doing + "dch -r" on Ubuntu. "Just because it was last uploaded to jaunty + doesn't mean that's the right thing to do now." + - Add test/debchange.pl, test/Makefile: debchange test suite. + - Rename XS-Vcs-* to XS-Debian-Vcs-*. + + -- Tyler Hicks Wed, 15 Feb 2012 16:40:33 -0600 + +devscripts (2.11.4) unstable; urgency=high + + * Urgency "high" for security fixes. + + [ James McCoy ] + * bts: Revert usertags' handling of more than one +/-/=. Only the first one + is relevant. + + [ Ryan Niebur ] + * dget: when finding the sources.list entry for the repository to + download a package from, match any port with the correct hostname + because apt-cache policy does not output port numbers in URLs + (Closes: #601951) + + [ Adam D. Barratt ] + * debdiff: + + Fix a regression in the handling of embedded tarballs (a side + effect of the changes introduced to resolve #571528). + + Extend the changes from #571528 to cover more situations where + user or file input is passed to an external program. Fixes + CVE-2012-2012 (and any instance of CVE-2012-2011 not already + covered by #571528). + + [ Paul Wise ] + * suspicious-source: Also ignore mercurial and darcs VCS directories + (Closes: #659966). + + [ Benjamin Drung ] + * suspicious-source: Add inode/x-empty to whitelist of MIME types + (Closes: #659946). + + [ Raphael Geissert ] + * debdiff: + + Remove undocumented feature treating extensionless files as if + they were packages (Closes: #659559) + + Add missing chdir for dpkg-source and remove extraneous quoting + of --exclude parameters. + + Fix CVE-2012-0210 (insufficient input sanitising reading .dsc + and .changes files). + + -- Adam D. Barratt Wed, 15 Feb 2012 19:19:31 +0000 + devscripts (2.11.3ubuntu1) precise; urgency=low * Merge from Debian testing, remaining changes: diff -Nru devscripts-2.11.3ubuntu1/scripts/bts.pl devscripts-2.11.4ubuntu1/scripts/bts.pl --- devscripts-2.11.3ubuntu1/scripts/bts.pl 2012-01-24 18:48:39.000000000 +0000 +++ devscripts-2.11.4ubuntu1/scripts/bts.pl 2012-02-12 11:00:33.000000000 +0000 @@ -1671,49 +1671,24 @@ die "bts usertags: set what user tag?\n"; } # Parse the rest of the command line. - my $base_command="usertags $bug"; - my $commands = []; - - my $curop; - foreach my $tag (@_) { - if ($tag =~ s/^([-+=])//) { - my $op = $1; - if ($op eq '=') { - $curop = '='; - $commands = []; - } - elsif (!$curop || $curop ne $op) { - $curop = $op; - } - next unless $tag; - } - if (!$curop) { - $curop = '+'; - } - if (!@$commands || $curop ne $commands->[-1]{op}) { - push(@$commands, { op => $curop, tags => [] }); - } - if ($tag !~ m/^[-[:alnum:]@.+]+$/i) { - die "bts usertag: \"$tag\" contains characters other than " . - "alpha-numerics, '\@', '.', '+', and '-'.\n"; - } - push(@{$commands->[-1]{tags}}, $tag); + my $command="usertags $bug"; + my $flag=""; + if ($_[0] =~ /^[-+=]$/) { + $flag = $_[0]; + $command .= " $flag"; + shift; + } elsif ($_[0] =~ s/^([-+=])//) { + $flag = $1; + $command .= " $flag"; } - my $command = ''; - foreach my $cmd (@$commands) { - if ($cmd->{op} ne '=' && !@{$cmd->{tags}}) { - die "bts usertags: set what tag?\n"; - } - $command .= " $cmd->{op} " . join(' ', @{$cmd->{tags}}); - } - if (!$command && $curop eq '=') { - $command = " $curop"; + if (! @_) { + die "bts usertags: set what user tag?\n"; } - if ($command) { - mailbts("usertagging $bug", $base_command . $command); - } + $command .= sprintf(' %s', join(' ', @_)); + + mailbts("usertagging $bug", $command); } =item B I [I] diff -Nru devscripts-2.11.3ubuntu1/scripts/debdiff.pl devscripts-2.11.4ubuntu1/scripts/debdiff.pl --- devscripts-2.11.3ubuntu1/scripts/debdiff.pl 2012-01-24 18:48:39.000000000 +0000 +++ devscripts-2.11.4ubuntu1/scripts/debdiff.pl 2012-02-15 19:05:22.000000000 +0000 @@ -21,6 +21,7 @@ use Dpkg::Compression; use File::Copy qw(cp move); use File::Basename; +use File::Path qw/ rmtree /; use File::Temp qw/ tempdir tempfile /; use lib '/usr/share/devscripts'; use Devscripts::Versort; @@ -321,14 +322,11 @@ elsif ($ARGV[0] =~ /\.udeb$/) { $type = 'deb'; } elsif ($ARGV[0] =~ /\.changes$/) { $type = 'changes'; } elsif ($ARGV[0] =~ /\.dsc$/) { $type = 'dsc'; } - elsif (`file $ARGV[0]` =~ /Debian/) { $type = 'deb'; } else { fatal "Could not recognise files; the names should end .deb, .udeb, .changes or .dsc"; } - if ($ARGV[1] !~ /\.$type$/) { - unless ($type eq 'deb' and `file $ARGV[0]` =~ /Debian/) { - fatal "The two filenames must have the same suffix, either .deb, .udeb, .changes or .dsc"; - } + if ($ARGV[1] !~ /\.$type$/ && ($type ne 'deb' || $ARGV[1] !~ /\.udeb$/)) { + fatal "The two filenames must have the same suffix, either .deb, .udeb, .changes or .dsc"; } } @@ -344,10 +342,27 @@ no strict 'refs'; foreach my $i (1,2) { my $deb = shift; - my $debc = `env LC_ALL=C dpkg-deb -c $deb`; - $? == 0 or fatal "dpkg-deb -c $deb failed!"; - my $debI = `env LC_ALL=C dpkg-deb -I $deb`; - $? == 0 or fatal "dpkg-deb -I $deb failed!"; + my ($debc, $debI) = ('', ''); + my %dpkg_env = ( LC_ALL => 'C' ); + eval { + spawn(exec => ['dpkg-deb', '-c', $deb], + env => \%dpkg_env, + to_string => \$debc, + wait_child => 1); + }; + if ($@) { + fatal "dpkg-deb -c $deb failed!"; + } + + eval { + spawn(exec => ['dpkg-deb', '-I', $deb], + env => \%dpkg_env, + to_string => \$debI, + wait_child => 1); + }; + if ($@) { + fatal "dpkg-deb -I $deb failed!"; + } # Store the name for later $singledeb[$i] = $deb; # get package name itself @@ -384,7 +399,12 @@ last if $infiles and /^[^ ]/; /^Files:/ and $infiles=1, next; next unless $infiles; - / (\S*.u?deb)$/ and push @debs, dirname($changes) . '/' . $1; + if (/ (\S*.u?deb)$/) { + my $file = $1; + $file !~ m,[/\x00], + or fatal "File name contains invalid characters: $file"; + push @debs, dirname($changes) . '/' . $file; + } } close CHANGES or fatal "Problem reading $changes: $!"; @@ -398,10 +418,26 @@ foreach my $deb (@debs) { no strict 'refs'; fatal "Can't read file: $deb" unless -r $deb; - my $debc = `env LC_ALL=C dpkg-deb -c $deb`; - $? == 0 or fatal "dpkg-deb -c $deb failed!"; - my $debI = `env LC_ALL=C dpkg-deb -I $deb`; - $? == 0 or fatal "dpkg-deb -I $deb failed!"; + my ($debc, $debI) = ('', ''); + my %dpkg_env = ( LC_ALL => 'C' ); + eval { + spawn(exec => ['dpkg-deb', '-c', $deb], + to_string => \$debc, + env => \%dpkg_env, + wait_child => 1); + }; + if ($@) { + fatal "dpkg-deb -c $deb failed!"; + } + eval { + spawn(exec => ['dpkg-deb', '-I', $deb], + to_string => \$debI, + env => \%dpkg_env, + wait_child => 1); + }; + if ($@) { + fatal "dpkg-deb -I $deb failed!"; + } my $debpath = $deb; # get package name itself $deb =~ s,.*/,,; $deb =~ s/_.*//; @@ -459,6 +495,8 @@ # This had better match if (/^\s+[0-9a-f]{32}\s+\d+\s+(\S+)$/) { my $file = $1; + $file !~ m,[/\x00], + or fatal "File name contains invalid characters: $file"; if ($file =~ /\.diff\.gz$/) { $diffs[$i] = cwd() . '/' . $file; } @@ -514,7 +552,8 @@ . " " . basename($diffs[2]) . "\n\n"; $header =~ s/\.diff\.gz//g; print $header; - system('diffstat', $filename); + spawn(exec => ['diffstat', $filename], + wait_child => 1); print "\n"; } @@ -558,6 +597,7 @@ cp $dscs[$i], $diri || fatal "copy $dscs[$i] $diri: $!"; spawn(exec => ['dpkg-source', @opts, $dscx], to_file => '/dev/null', + chdir => $diri, wait_child => 1); } opendir DIR,$diri; @@ -586,7 +626,7 @@ chdir => "$diri/$sdiri", nocheck => 1); if (-d "$diri/$sdiri/$filename") { - move "$diri/$sdiri/$filename", $unpacked; + move "$diri/$sdiri/$filename", "$diri/$sdiri/$unpacked"; } } } @@ -595,7 +635,7 @@ my @command = ("diff", "-Nru", @diff_opts); for my $exclude (@excludes) { - push @command, ("--exclude", "'$exclude'"); + push @command, ("--exclude", $exclude); } push @command, ("$dir1/$sdir1", "$dir2/$sdir2"); @@ -605,7 +645,8 @@ if ($have_diffstat and $show_diffstat) { print "diffstat for $sdir1 $sdir2\n\n"; - system("diffstat $filename"); + spawn(exec => ['diffstat', $filename], + wait_child => 1); print "\n"; } @@ -641,7 +682,7 @@ print "\n"; # Clean up - system ("rm", "-rf", $wdiffdir1, $wdiffdir2); + rmtree([$wdiffdir1, $wdiffdir2]); } if (! -f $filename) { @@ -854,9 +895,15 @@ mktmpdirs(); for my $i (1,2) { - if (system('dpkg-deb', '-e', "${\"DebPaths$i\"}{$debname}", ${"dir$i"})) { + my $debpath = "${\"DebPaths$i\"}{$debname}"; + my $diri = ${"dir$i"}; + eval { + spawn(exec => ['dpkg-deb', '-e', $debpath, $diri], + wait_child => 1); + }; + if ($@) { my $msg = "dpkg-deb -e ${\"DebPaths$i\"}{$debname} failed!"; - system ("rm", "-rf", $dir1, $dir2); + rmtree([$dir1, $dir2]); fatal $msg; } } @@ -866,7 +913,7 @@ $exit_status); # Clean up - system ("rm", "-rf", $dir1, $dir2); + rmtree([$dir1, $dir2]); } exit $exit_status; @@ -965,31 +1012,37 @@ close $fd; } } - my $wdiff = `wdiff -n $wdiff_opt $dir1/$cf $dir2/$cf`; my $usepkgname = $debname eq $dummyname ? "" : " of package $debname"; - if ($? >> 8 == 0) { - if (! $quiet) { - print "\nNo differences were encountered between the $cf files$usepkgname\n"; - } - } elsif ($? >> 8 == 1) { - print "\n"; - if ($wdiff_opt) { + my @opts = ('-n'); + push @opts, $wdiff_opt if $wdiff_opt; + my $wdiff = ''; + eval { + spawn(exec => ['wdiff', @opts, "$dir1/$cf", "$dir2/$cf"], + to_string => \$wdiff, + wait_child => 1); + }; + if ($@ and $@ !~ /gave error exit status 1/) { + print "$@\n"; + warn "wdiff failed\n"; + } else { + if (!$@) { + if (! $quiet) { + print "\nNo differences were encountered between the $cf files$usepkgname\n"; + } + } elsif ($wdiff_opt) { # Don't try messing with control codes my $msg = ucfirst($cf) . " files$usepkgname: wdiff output"; - print $msg, "\n", '-' x length $msg, "\n"; + print "\n", $msg, "\n", '-' x length $msg, "\n"; print $wdiff; } else { my @output; @output = split /\n/, $wdiff; @output = grep /(\[-|\{\+)/, @output; my $msg = ucfirst($cf) . " files$usepkgname: lines which differ (wdiff format)"; - print $msg, "\n", '-' x length $msg, "\n"; + print "\n", $msg, "\n", '-' x length $msg, "\n"; print join("\n",@output), "\n"; } $status = 1; - } else { - warn "wdiff failed (exit status " . ($? >> 8) . - (($? & 0x7f) ? " with signal " . ($? & 0x7f) : "") . ")\n"; } } diff -Nru devscripts-2.11.3ubuntu1/scripts/dget.pl devscripts-2.11.4ubuntu1/scripts/dget.pl --- devscripts-2.11.3ubuntu1/scripts/dget.pl 2012-01-24 18:48:39.000000000 +0000 +++ devscripts-2.11.4ubuntu1/scripts/dget.pl 2012-02-12 20:51:24.000000000 +0000 @@ -319,7 +319,8 @@ # find deb lines matching the hosts in the policy output my @repositories; - my $host_re = '(?:' . (join '|', map { quotemeta; } @hosts) . ')'; + # the regexp within the map below can be removed and replaced with only the quotemeta statement once bug #154868 is fixed + my $host_re = '(?:' . (join '|', map { my $host = quotemeta; $host =~ s/(?<=\\:\\\/\\\/)([^\\:]+)(?=\\\/)/$1(?::[0-9]+\)?/g; $host; } @hosts) . ')'; if (-f "/etc/apt/sources.list") { $apt = new IO::File("/etc/apt/sources.list") or die "/etc/apt/sources.list: $!"; while (<$apt>) { diff -Nru devscripts-2.11.3ubuntu1/scripts/suspicious-source devscripts-2.11.4ubuntu1/scripts/suspicious-source --- devscripts-2.11.3ubuntu1/scripts/suspicious-source 2012-01-24 18:46:58.000000000 +0000 +++ devscripts-2.11.4ubuntu1/scripts/suspicious-source 2012-02-15 18:55:41.000000000 +0000 @@ -47,6 +47,7 @@ "image/x-ico", "image/x-ms-bmp", "image/x-portable-pixmap", + "inode/x-empty", "message/rfc822", "text/html", "text/plain", @@ -107,7 +108,7 @@ print "%s (%s)" % (os.path.join(root, f), mimetype) else: print os.path.join(root, f) - for vcs_dir in (".bzr", "CVS", ".git", ".svn"): + for vcs_dir in (".bzr", "CVS", ".git", ".svn", ".hg", "_darcs"): if vcs_dir in dirs: dirs.remove(vcs_dir)