Your message dated Thu, 12 Apr 2018 11:22:45 +0000 with message-id <[email protected]> and subject line Bug#895370: fixed in lintian 2.5.82 has caused the Debian Bug report #895370, regarding lintian: maintainer-script-should-not-use-recursive-chown-or-chmod should also look for find.*exec.*chown to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 895370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895370 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: lintian Version: 2.5.81 Severity: normal i've seen a few places in the debian archive where maintscripts or initscripts avoid chown -R by using something like: find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown $LAVA_SYS_USER:$LAVA_SYS_USER {} (the above is from lava-server.postinst; similar things found in openguides, 4store, schleuder, jwchat, firebird3.0, etc) This presents the exact same risk as "chown -R", but it's not captured at all by the current matcher. even worse, it appears that some of these techniques are done specifically because they think it avoids the problem of chown -R (e.g. 4store.init has a TOCTOU race condition that leaves it vulnerable, but is commented as "avoiding "chown -R hardlink attacks") I think the lintian test should check for something like: find.*exec.*chown as well as looking for chown -R. --dkg -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lintian depends on: ii binutils 2.30-8 ii bzip2 1.0.6-8.1 ii diffstat 1.61-1+b1 ii dpkg 1.19.0.5 ii file 1:5.32-2 ii gettext 0.19.8.1-6 ii intltool-debian 0.35.0+20060710.4 ii libapt-pkg-perl 0.1.33 ii libarchive-zip-perl 1.60-1 ii libclass-accessor-perl 0.51-1 ii libclone-perl 0.39-1 ii libdpkg-perl 1.19.0.5 ii libemail-valid-perl 1.202-1 ii libfile-basedir-perl 0.07-1 ii libipc-run-perl 0.99-1 ii liblist-moreutils-perl 0.416-1+b3 ii libparse-debianchangelog-perl 1.2.0-12 ii libperl5.24 [libdigest-sha-perl] 5.24.1-7 ii libperl5.26 [libdigest-sha-perl] 5.26.1-5 ii libtext-levenshtein-perl 0.13-1 ii libtimedate-perl 2.3000-2 ii liburi-perl 1.73-1 ii libxml-simple-perl 2.25-1 ii libyaml-libyaml-perl 0.69+repack-1 ii man-db 2.8.2-1 ii patchutils 0.3.4-2 ii perl 5.26.1-5 ii t1utils 1.41-2 ii xz-utils 5.2.2-1.3 Versions of packages lintian recommends: pn libperlio-gzip-perl <none> Versions of packages lintian suggests: pn binutils-multiarch <none> ii dpkg-dev 1.19.0.5 ii libhtml-parser-perl 3.72-3+b2 ii libtext-template-perl 1.47-1 -- no debconf information
--- End Message ---
--- Begin Message ---Source: lintian Source-Version: 2.5.82 We believe that the bug you reported is fixed in the latest version of lintian, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <[email protected]> (supplier of updated lintian package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 12 Apr 2018 10:18:25 +0000 Source: lintian Binary: lintian Architecture: source all Version: 2.5.82 Distribution: unstable Urgency: medium Maintainer: Debian Lintian Maintainers <[email protected]> Changed-By: Chris Lamb <[email protected]> Description: lintian - Debian package checker Closes: 895128 895175 895284 895370 Changes: lintian (2.5.82) unstable; urgency=medium . * Summary of tag changes: + Added: - invalid-field-for-derivative - invalid-version-number-for-derivative . * checks/changes-file.{desc,pm}: + [CL] Add support for derivative-specific version validation to permit enforcement of additional restrictions on the version number such as being suffixed by "derivativeos1", etc. * checks/debhelper.pm: + [CL] Add a special case for the python3 addon as it needs a dependency on dh-python unless the -dev packages are used. Thanks to Julian Andres Klode for the report. (Closes: #895284) * checks/fields.{desc,pm}: + [CL] Add support for derivative-specific field parsing to allow enforcement of additional restrictions (eg. updating Vcs-Git, etc.) * checks/python.pm: + [CL] Apply patch from Pierre-Elliott Bécue to loosen the changelog parsing of the new-package-should-not-package-python2-module tag to allow (for example) "Python 2 variant" as well as "Python2 variant". Thanks! (Closes: #895128) . * commands/reporting-sync-state.pm: + [CL] Add support for blacklisting source packages in order to prevent some currently-problematic packages such as gcc-8-cross-ports preventing the update of https://lintian.debian.org/. (See #890873) * debian/*, commands/*, CONTRIBUTING.md, etc.: + [CL] Move canonical source repository from Alioth to salsa. * lib/Lintian/Collect/Package.pm: + [CL] Allow spaces within the ownership field of tar -tvf output whilst still allowing spaces in filenames. (Closes: #895175) . * data/scripts/maintainer-script-bad-command: + [CL] Also check for find(1) calls when checking for maintainer scripts that use a recursive chmod or chown. Thanks to Daniel Kahn Gillmor for the report. (Closes: #895370) * data/spelling/corrections: + [PW] Add a number of corrections. . * vendors/pureos/main/data/changes-file/derivative-versions: + [CL] Ensure that PureOS packages always end with (eg. pureosX). * vendors/pureos/main/data/fields/derivative-fields: + [CL] Add PureOS-specific field name validation, such as ensuring the Maintainer field is updated to the mailing list. Checksums-Sha1: 23b4a03ee234691d1782ed1ad30f0afd72567d68 3511 lintian_2.5.82.dsc 461b2cd27743d34eace2cfc7aa6a303d2a3f6506 1552204 lintian_2.5.82.tar.xz 03486e3cbbc513824a6b82a03ce692dd12a5d50f 1114572 lintian_2.5.82_all.deb f00947157088956762bd64eb4321ed985d8789c9 16044 lintian_2.5.82_amd64.buildinfo Checksums-Sha256: 80884effdccf99abf5f9c206739171b9c62e8e3cb886ae2d04650320a808a1c5 3511 lintian_2.5.82.dsc 886e5517cf418e8be964845f5903a5618de01567a7a3eefa46084ce27392ebd0 1552204 lintian_2.5.82.tar.xz b5cbf046be542e399aa53c804e90af85d0825341357b10286ff8465cb21209da 1114572 lintian_2.5.82_all.deb 3bfa13a96a6a0d1ebe067e705d4d14d28331f29bf8a44d8c70190e9ebd822226 16044 lintian_2.5.82_amd64.buildinfo Files: ff54798045d05de9fa6adcea72b8ac14 3511 devel optional lintian_2.5.82.dsc 9f4e5575f1c42943fdcdfa0d87d330ff 1552204 devel optional lintian_2.5.82.tar.xz cef5c06ac39e6330786b45430c94533b 1114572 devel optional lintian_2.5.82_all.deb 1b595aa0cba9575c9dcc5096f12b47c5 16044 devel optional lintian_2.5.82_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlrPPc4ACgkQHpU+J9Qx Hli0Hw/+PRxLLVPuPp8yqbRdUV+pXBSJ8r6bgmqS7TxUc15W2UKZ7dgpSgSdUNwB wzWwd/6nUVqri3bpMJn/eh+RXylvZ/0nqXkd0CeVPCMknbwow8rJbHw8TUuTMZpZ mupAMszkY2QUjuEW2y0Bew05aFy2Ll7ZMzyhAtyEfQT2k/SCF2+TJnkRebh3DdlJ dJmxI2qjanPHIEFTVNGa0qizEWUcVixpUITj3OpqeEsxKr+6WnCOV6v5Eic/NXDF tDx/NO5ce5mv/ZCi4zGcVZQOVJ2MYm1x3KoWz/D88Tey09AlrX7QJkgOK8yeB8kL UMCj4LhA5e06Z+wbI0WN4Y9BfVFXQEiGzllYdwd88BMsVRzL15m0Djl0Jgn4KpGH h7DwXZm324gSkf+/UY/zZgQEvVYg7UJ8qFJuXNCwEISlCvZSTirCxlPd/lIRcK0A 7YvLFZlC5EPDyHKb76AJo9yneeFdBHtwSfRpDuvE7jYMPpRg4GDmFMwDy/K2xy1S qSBfCsAihC+iKDI7IotaJ4G+/qMCazmysdI8/ZaE4X7YxEVqEZKkfoa+SbC0czWT tTFKpPAKjZX+TEBKCXeVy6KKyEAhS6sXKN7PAB0V+Vy48Ka17MQ3+TIowJe1VoOx kRzJy8qBjrBIjjcuXvo2pqaCmCnDAgIdIoMcoybFi5fL9zmrqbM= =exAG -----END PGP SIGNATURE-----
--- End Message ---
