Russ Allbery wrote: > Raphael Geissert <[EMAIL PROTECTED]> > writes: > >> Attached are the following two patches in a git-friendly mbox format: >> >> lintian_enhanced_possibly-insecure-handling-of-tmp-files-in-maintainer-script.patch: >> Requires the tmp dir name to have a name thus reducing the number of >> false positives and allowing to check for = /tmp/foo thus also >> decreasing the number of false negatives (or at least I hope it does). > >> It no longer ignores mkdir as it may also suffer from attacks when the >> error is ignored, compacts the mktemp/mkstemp checks and ignores the >> line if $RANDOM is present. > > I'm not comfortable with removing mkdir on the grounds that it *might* not > be error-checked. Nearly all maintainer scripts are error-checked, which > makes mkdir safe.
Maybe I should write a check that makes sure sh is called with -e or 'set -e' is used at some point during the script's execution. An example where the main problematic line is ignored because of the mkdir exception is #496462. > > This otherwise looks okay, though, so I'll apply it without that change. > >> lintian_maintainer-also-in-uploaders.patch: >> Added to detect situations where the person in the Maintainer field is >> also in Uploaders. > > Thanks, applied with some changes to the long tag description and the > addition of the Severity/Certainty tags. > Never heard about some good reason to duplicate the information (as what I understood from the new description) but fine :) Cheers, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
