Bug#991054: unblock: xarchiver/1:0.5.4.17-2

[Markus Koschany]

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: a...@debian.org

Please unblock package xarchiver

[ Reason ]

Fix for Debian bug #990906. Serious data loss if symlinks within
archives point to files which reside outside of the archive and a user
double clicks on the symlink.

[ Impact ]

Debian bug #990906 would not be fixed for Debian 11.

[ Tests ]

Could no longer reproduce the data loss after applying the patch.

[ Risks ]

None. Non-intrusive and straightforward patch.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing


unblock xarchiver/1:0.5.4.17-2

diff -Nru xarchiver-0.5.4.17/debian/changelog 
xarchiver-0.5.4.17/debian/changelog
--- xarchiver-0.5.4.17/debian/changelog 2021-01-26 14:16:53.000000000 +0100
+++ xarchiver-0.5.4.17/debian/changelog 2021-07-13 14:02:25.000000000 +0200
@@ -1,3 +1,11 @@
+xarchiver (1:0.5.4.17-2) unstable; urgency=medium
+
+  * Fix Debian bug #990906. Do not follow symbolic links if the files reside
+    outside the archive. (Closes: #990906)
+    Thanks to David Harte for the report and Ingo Brückl for the patch.
+
+ -- Markus Koschany <a...@debian.org>  Tue, 13 Jul 2021 14:02:25 +0200
+
 xarchiver (1:0.5.4.17-1) unstable; urgency=medium
 
   * New upstream version 0.5.4.17.
diff -Nru xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch 
xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch
--- xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch   1970-01-01 
01:00:00.000000000 +0100
+++ xarchiver-0.5.4.17/debian/patches/debian-bug-990906.patch   2021-07-13 
14:02:25.000000000 +0200
@@ -0,0 +1,29 @@
+From 949854e9a74489d8d977aac7a8428ecadd526ff1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingo=20Br=C3=BCckl?= <i...@wupperonline.de>
+Date: Mon, 12 Jul 2021 16:41:35 +0200
+Subject: [PATCH] Never follow symbolic links in xa_collect_files_in_dir()
+
+When temporarily extracted files with paths are needed without path,
+symbolic links must be used as is. It must not be descended into
+directories that are symbolic links, because they could reside outside
+the archive.
+
+This fixes Debian bug #990906.
+---
+ src/string_utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/string_utils.c b/src/string_utils.c
+index 5881be12..a3aa49a5 100644
+--- a/src/string_utils.c
++++ b/src/string_utils.c
+@@ -408,7 +408,8 @@ GString *xa_collect_files_in_dir (const gchar *directory)
+               file = stack->data;
+               stack = g_slist_delete_link(stack, stack);
+ 
+-              if (g_file_test(file, G_FILE_TEST_IS_DIR))
++              if (g_file_test(file, G_FILE_TEST_IS_DIR) &&
++                 !g_file_test(file, G_FILE_TEST_IS_SYMLINK))
+               {
+                       GDir *dir;
+                       const gchar *name;
diff -Nru xarchiver-0.5.4.17/debian/patches/series 
xarchiver-0.5.4.17/debian/patches/series
--- xarchiver-0.5.4.17/debian/patches/series    1970-01-01 01:00:00.000000000 
+0100
+++ xarchiver-0.5.4.17/debian/patches/series    2021-07-13 14:02:25.000000000 
+0200
@@ -0,0 +1 @@
+debian-bug-990906.patch