On 2012-12-09 12:43, Bastien ROUCARIES wrote: > control: tag -1 + patch > > I have made a patch. >
Hi, Thanks for looking into this. > > [...] > + my $finfo = $info->file_info ($file) || ''; > + if($finfo =~ m/PostScript Type 1 font program data/) { > + my $path = $info->unpacked ($file); > + open t1pipe, "t1disasm $path |" or fail "can't fork: $!"; Please use the "3-arg" open call with a list as cmd. The 2-arg and the lack of list is known to allow "shell-injections" (arbitrary command execution). Consider a file named: "usr/share/package/; echo hallo world" Style-wise I would prefer if the file descriptor was either "my $t1pipe" or T1PIPE So, something like open my $t1pipe, '-|', 't1disasm', $path or fail "..."; > + [...] > } > > # ---------------- non-free .swf files > diff --git a/checks/files.desc b/checks/files.desc > index 4ad5ee2..24067d9 100644 > --- a/checks/files.desc > +++ b/checks/files.desc > @@ -962,6 +962,15 @@ Info: This package contains a *.ttf, *.otf, or *.pfb > file, file > the font should be packaged separately, since fonts are usually useful > outside of the package that embeds them. > > +Tag: font-adobe-copyrighted-fragment > +Severity: serious > +Certainty: possible > +Info: This type 1 font file, include some postscript fragment with a ^ Spurious comma? (Not an native English speaker, so I could be wrong here) > + non free license of Adobe. In order to check if this tag is genuine you > + need to dissemble the font file with t1disasm and check if it contains > + the code fragment found at > + http://partners.adobe.com/public/developer/opentype/index_ps_code3.html > + > Tag: duplicate-font-file > Severity: normal > Certainty: possible > [...] Do you need with setting up a test case for this? ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org