summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--apt-pkg/contrib/fileutl.cc4
-rw-r--r--debian/changelog4
2 files changed, 7 insertions, 1 deletions
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc
index 2b7e25080..a5976cf3a 100644
--- a/apt-pkg/contrib/fileutl.cc
+++ b/apt-pkg/contrib/fileutl.cc
@@ -138,7 +138,9 @@ bool CopyFile(FileFd &From,FileFd &To)
close at some time. */
int GetLock(string File,bool Errors)
{
- int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640);
+ // GetLock() is used in aptitude on directories with public-write access
+ // Use O_NOFOLLOW here to prevent symlink traversal attacks
+ int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640);
if (FD < 0)
{
// Read only .. cant have locking problems there.
diff --git a/debian/changelog b/debian/changelog
index 3f08fda43..20f9c6a9f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,10 @@ apt (0.7.14) UNRELEASED; urgency=low
* Brazilian Portuguese updated. Closes: #480561
* Hungarian updated. Closes: #480662
+ [ Otavio Salvador ]
+ * Apply patch to avoid truncating of arbitrary files. Thanks to Bryan
+ Donlan <bdonlan@fushizen.net> for the patch. Closes: #482476
+
-- Christian Perrier <bubulle@debian.org> Sun, 04 May 2008 08:31:06 +0200
apt (0.7.13) unstable; urgency=low