diff options
| -rw-r--r-- | apt-pkg/contrib/fileutl.cc | 4 | ||||
| -rw-r--r-- | debian/changelog | 4 |
2 files changed, 7 insertions, 1 deletions
diff --git a/apt-pkg/contrib/fileutl.cc b/apt-pkg/contrib/fileutl.cc index 2b7e25080..a5976cf3a 100644 --- a/apt-pkg/contrib/fileutl.cc +++ b/apt-pkg/contrib/fileutl.cc @@ -138,7 +138,9 @@ bool CopyFile(FileFd &From,FileFd &To) close at some time. */ int GetLock(string File,bool Errors) { - int FD = open(File.c_str(),O_RDWR | O_CREAT | O_TRUNC,0640); + // GetLock() is used in aptitude on directories with public-write access + // Use O_NOFOLLOW here to prevent symlink traversal attacks + int FD = open(File.c_str(),O_RDWR | O_CREAT | O_NOFOLLOW,0640); if (FD < 0) { // Read only .. cant have locking problems there. diff --git a/debian/changelog b/debian/changelog index 3f08fda43..20f9c6a9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,6 +27,10 @@ apt (0.7.14) UNRELEASED; urgency=low * Brazilian Portuguese updated. Closes: #480561 * Hungarian updated. Closes: #480662 + [ Otavio Salvador ] + * Apply patch to avoid truncating of arbitrary files. Thanks to Bryan + Donlan <bdonlan@fushizen.net> for the patch. Closes: #482476 + -- Christian Perrier <bubulle@debian.org> Sun, 04 May 2008 08:31:06 +0200 apt (0.7.13) unstable; urgency=low |