Dpkg::Source::Patch: Correctly parse C-style diff filenames
We need to strip the surrounding quotes, and unescape any escape sequence, so that we check the same files that the patch program will be using, otherwise a malicious package could overpass those checks, and perform directory traversal attacks on source package unpacking. Fixes: CVE-2014 -0471 Reported-by: Jakub Wilk <jwilk@debian.org>
parent
d4dfad8c
Please register or sign in to comment