Your message dated Thu, 12 Apr 2018 11:22:45 +0000
with message-id <>
and subject line Bug#895370: fixed in lintian 2.5.82
has caused the Debian Bug report #895370,
regarding lintian: maintainer-script-should-not-use-recursive-chown-or-chmod 
should also look for find.*exec.*chown
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: lintian
Version: 2.5.81
Severity: normal

i've seen a few places in the debian archive where maintscripts or
initscripts avoid chown -R by using something like:

    find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown 

 (the above is from lava-server.postinst; similar things found in
 openguides, 4store, schleuder, jwchat, firebird3.0, etc)

This presents the exact same risk as "chown -R", but it's not captured
at all by the current matcher.  even worse, it appears that some of
these techniques are done specifically because they think it avoids
the problem of chown -R (e.g. 4store.init has a TOCTOU race condition
that leaves it vulnerable, but is commented as "avoiding "chown -R
hardlink attacks")

I think the lintian test should check for something like:


as well as looking for chown -R.


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), 
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages lintian depends on:
ii  binutils                          2.30-8
ii  bzip2                             1.0.6-8.1
ii  diffstat                          1.61-1+b1
ii  dpkg                    
ii  file                              1:5.32-2
ii  gettext                 
ii  intltool-debian                   0.35.0+20060710.4
ii  libapt-pkg-perl                   0.1.33
ii  libarchive-zip-perl               1.60-1
ii  libclass-accessor-perl            0.51-1
ii  libclone-perl                     0.39-1
ii  libdpkg-perl            
ii  libemail-valid-perl               1.202-1
ii  libfile-basedir-perl              0.07-1
ii  libipc-run-perl                   0.99-1
ii  liblist-moreutils-perl            0.416-1+b3
ii  libparse-debianchangelog-perl     1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-7
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-5
ii  libtext-levenshtein-perl          0.13-1
ii  libtimedate-perl                  2.3000-2
ii  liburi-perl                       1.73-1
ii  libxml-simple-perl                2.25-1
ii  libyaml-libyaml-perl              0.69+repack-1
ii  man-db                            2.8.2-1
ii  patchutils                        0.3.4-2
ii  perl                              5.26.1-5
ii  t1utils                           1.41-2
ii  xz-utils                          5.2.2-1.3

Versions of packages lintian recommends:
pn  libperlio-gzip-perl  <none>

Versions of packages lintian suggests:
pn  binutils-multiarch     <none>
ii  dpkg-dev     
ii  libhtml-parser-perl    3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.5.82

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Chris Lamb <> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA256

Format: 1.8
Date: Thu, 12 Apr 2018 10:18:25 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.82
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <>
Changed-By: Chris Lamb <>
 lintian    - Debian package checker
Closes: 895128 895175 895284 895370
 lintian (2.5.82) unstable; urgency=medium
   * Summary of tag changes:
     + Added:
       - invalid-field-for-derivative
       - invalid-version-number-for-derivative
   * checks/changes-file.{desc,pm}:
     + [CL] Add support for derivative-specific version validation to permit
       enforcement of additional restrictions on the version number such as
       being suffixed by "derivativeos1", etc.
   * checks/
     + [CL] Add a special case for the python3 addon as it needs a
       dependency on dh-python unless the -dev packages are used.
       Thanks to Julian Andres Klode for the report.  (Closes: #895284)
   * checks/fields.{desc,pm}:
     + [CL] Add support for derivative-specific field parsing to allow
       enforcement of additional restrictions (eg. updating Vcs-Git, etc.)
   * checks/
     + [CL] Apply patch from Pierre-Elliott B├ęcue to loosen the changelog
       parsing of the new-package-should-not-package-python2-module tag to
       allow (for example) "Python 2 variant" as well as "Python2
       variant".  Thanks!  (Closes: #895128)
   * commands/
     + [CL] Add support for blacklisting source packages in order to prevent
       some currently-problematic packages such as gcc-8-cross-ports
       preventing the update of  (See #890873)
   * debian/*, commands/*,, etc.:
     + [CL] Move canonical source repository from Alioth to salsa.
   * lib/Lintian/Collect/
     + [CL] Allow spaces within the ownership field of tar -tvf output
       whilst still allowing spaces in filenames.  (Closes: #895175)
   * data/scripts/maintainer-script-bad-command:
     + [CL] Also check for find(1) calls when checking for maintainer
       scripts that use a recursive chmod or chown.  Thanks to Daniel Kahn
       Gillmor for the report.  (Closes: #895370)
   * data/spelling/corrections:
     + [PW] Add a number of corrections.
   * vendors/pureos/main/data/changes-file/derivative-versions:
     + [CL] Ensure that PureOS packages always end with (eg. pureosX).
   * vendors/pureos/main/data/fields/derivative-fields:
     + [CL] Add PureOS-specific field name validation, such as ensuring the
       Maintainer field is updated to the mailing list.
 23b4a03ee234691d1782ed1ad30f0afd72567d68 3511 lintian_2.5.82.dsc
 461b2cd27743d34eace2cfc7aa6a303d2a3f6506 1552204 lintian_2.5.82.tar.xz
 03486e3cbbc513824a6b82a03ce692dd12a5d50f 1114572 lintian_2.5.82_all.deb
 f00947157088956762bd64eb4321ed985d8789c9 16044 lintian_2.5.82_amd64.buildinfo
 80884effdccf99abf5f9c206739171b9c62e8e3cb886ae2d04650320a808a1c5 3511 
 886e5517cf418e8be964845f5903a5618de01567a7a3eefa46084ce27392ebd0 1552204 
 b5cbf046be542e399aa53c804e90af85d0825341357b10286ff8465cb21209da 1114572 
 3bfa13a96a6a0d1ebe067e705d4d14d28331f29bf8a44d8c70190e9ebd822226 16044 
 ff54798045d05de9fa6adcea72b8ac14 3511 devel optional lintian_2.5.82.dsc
 9f4e5575f1c42943fdcdfa0d87d330ff 1552204 devel optional lintian_2.5.82.tar.xz
 cef5c06ac39e6330786b45430c94533b 1114572 devel optional lintian_2.5.82_all.deb
 1b595aa0cba9575c9dcc5096f12b47c5 16044 devel optional 



--- End Message ---

Reply via email to