[Git][reproducible-builds/diffoscope][master] 2 commits: Add a remark re. potential security issue in the .changes, .dsc, .buildinfo comparator.

Chris Lamb gitlab at salsa.debian.org
Fri Jun 19 10:30:25 UTC 2020 


Chris Lamb pushed to branch master at Reproducible Builds / diffoscope


Commits:
3b1a9baa by Chris Lamb at 2020-06-13T15:03:36+01:00
Add a remark re. potential security issue in the .changes, .dsc, .buildinfo comparator.

- - - - -
c4c1a460 by Daniel Fullmer at 2020-06-19T11:29:50+01:00
Fix CBFS comparator with our_check_output()

The cbfs tests were broken by fe446ea2eda5f9649b829985f9fd01b151b81fe5
They would fail with:
TypeError: a bytes-like object is required, not 'str'

Additionally, our_check_output() can't accept a stdout= argument since
subprocess.check_output doesn't accept this argument.

- - - - -


2 changed files:

- diffoscope/comparators/cbfs.py
- diffoscope/comparators/debian.py


Changes:

=====================================
diffoscope/comparators/cbfs.py
=====================================
@@ -54,7 +54,7 @@ class CbfsContainer(Archive):
     @tool_required("cbfstool")
     def entries(self, path):
         cmd = ["cbfstool", path, "print"]
-        output = our_check_output(cmd)
+        output = our_check_output(cmd).decode("utf-8")
         header = True
         for line in output.rstrip("\n").split("\n"):
             if header:
@@ -88,9 +88,7 @@ class CbfsContainer(Archive):
             dest_path,
         ]
         logger.debug("cbfstool extract %s to %s", member_name, dest_path)
-        our_check_output(
-            cmd, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL
-        )
+        our_check_output(cmd, stderr=subprocess.DEVNULL)
         return dest_path
 
 


=====================================
diffoscope/comparators/debian.py
=====================================
@@ -101,6 +101,8 @@ class DebControlContainer(Container):
             (x["name"] for x in field),
             key=lambda x: (x.endswith(".deb") and "-dbgsym_" in x, x),
         ):
+            # The referenced files are supplied by the user, but the Deb822
+            # parser rejects malicious imput such as "../../etc/shadow" etc.
             if not os.path.exists(os.path.join(parent_dir, name)):
                 logger.debug(
                     "Could not find file %s referenced in %s",



View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/354e726fcba8760554dd639a296c0831a0dca737...c4c1a46027fe377e4ace33bc1b85ccadf2cfffd4

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/354e726fcba8760554dd639a296c0831a0dca737...c4c1a46027fe377e4ace33bc1b85ccadf2cfffd4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20200619/7cd1d43e/attachment.htm>

More information about the rb-commits mailing list