Your message dated Thu, 12 Apr 2018 11:22:45 +0000
with message-id <e1f6ajr-0003p3...@fasolo.debian.org>
and subject line Bug#895370: fixed in lintian 2.5.82
has caused the Debian Bug report #895370,
regarding lintian: maintainer-script-should-not-use-recursive-chown-or-chmod
should also look for find.*exec.*chown
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
895370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895370
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.81
Severity: normal
i've seen a few places in the debian archive where maintscripts or
initscripts avoid chown -R by using something like:
find /etc/lava-server/dispatcher.d/ -maxdepth 1 -exec chown
$LAVA_SYS_USER:$LAVA_SYS_USER {}
(the above is from lava-server.postinst; similar things found in
openguides, 4store, schleuder, jwchat, firebird3.0, etc)
This presents the exact same risk as "chown -R", but it's not captured
at all by the current matcher. even worse, it appears that some of
these techniques are done specifically because they think it avoids
the problem of chown -R (e.g. 4store.init has a TOCTOU race condition
that leaves it vulnerable, but is commented as "avoiding "chown -R
hardlink attacks")
I think the lintian test should check for something like:
find.*exec.*chown
as well as looking for chown -R.
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'),
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lintian depends on:
ii binutils 2.30-8
ii bzip2 1.0.6-8.1
ii diffstat 1.61-1+b1
ii dpkg 1.19.0.5
ii file 1:5.32-2
ii gettext 0.19.8.1-6
ii intltool-debian 0.35.0+20060710.4
ii libapt-pkg-perl 0.1.33
ii libarchive-zip-perl 1.60-1
ii libclass-accessor-perl 0.51-1
ii libclone-perl 0.39-1
ii libdpkg-perl 1.19.0.5
ii libemail-valid-perl 1.202-1
ii libfile-basedir-perl 0.07-1
ii libipc-run-perl 0.99-1
ii liblist-moreutils-perl 0.416-1+b3
ii libparse-debianchangelog-perl 1.2.0-12
ii libperl5.24 [libdigest-sha-perl] 5.24.1-7
ii libperl5.26 [libdigest-sha-perl] 5.26.1-5
ii libtext-levenshtein-perl 0.13-1
ii libtimedate-perl 2.3000-2
ii liburi-perl 1.73-1
ii libxml-simple-perl 2.25-1
ii libyaml-libyaml-perl 0.69+repack-1
ii man-db 2.8.2-1
ii patchutils 0.3.4-2
ii perl 5.26.1-5
ii t1utils 1.41-2
ii xz-utils 5.2.2-1.3
Versions of packages lintian recommends:
pn libperlio-gzip-perl <none>
Versions of packages lintian suggests:
pn binutils-multiarch <none>
ii dpkg-dev 1.19.0.5
ii libhtml-parser-perl 3.72-3+b2
ii libtext-template-perl 1.47-1
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.5.82
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <la...@debian.org> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 12 Apr 2018 10:18:25 +0000
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.82
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-ma...@debian.org>
Changed-By: Chris Lamb <la...@debian.org>
Description:
lintian - Debian package checker
Closes: 895128 895175 895284 895370
Changes:
lintian (2.5.82) unstable; urgency=medium
.
* Summary of tag changes:
+ Added:
- invalid-field-for-derivative
- invalid-version-number-for-derivative
.
* checks/changes-file.{desc,pm}:
+ [CL] Add support for derivative-specific version validation to permit
enforcement of additional restrictions on the version number such as
being suffixed by "derivativeos1", etc.
* checks/debhelper.pm:
+ [CL] Add a special case for the python3 addon as it needs a
dependency on dh-python unless the -dev packages are used.
Thanks to Julian Andres Klode for the report. (Closes: #895284)
* checks/fields.{desc,pm}:
+ [CL] Add support for derivative-specific field parsing to allow
enforcement of additional restrictions (eg. updating Vcs-Git, etc.)
* checks/python.pm:
+ [CL] Apply patch from Pierre-Elliott Bécue to loosen the changelog
parsing of the new-package-should-not-package-python2-module tag to
allow (for example) "Python 2 variant" as well as "Python2
variant". Thanks! (Closes: #895128)
.
* commands/reporting-sync-state.pm:
+ [CL] Add support for blacklisting source packages in order to prevent
some currently-problematic packages such as gcc-8-cross-ports
preventing the update of https://lintian.debian.org/. (See #890873)
* debian/*, commands/*, CONTRIBUTING.md, etc.:
+ [CL] Move canonical source repository from Alioth to salsa.
* lib/Lintian/Collect/Package.pm:
+ [CL] Allow spaces within the ownership field of tar -tvf output
whilst still allowing spaces in filenames. (Closes: #895175)
.
* data/scripts/maintainer-script-bad-command:
+ [CL] Also check for find(1) calls when checking for maintainer
scripts that use a recursive chmod or chown. Thanks to Daniel Kahn
Gillmor for the report. (Closes: #895370)
* data/spelling/corrections:
+ [PW] Add a number of corrections.
.
* vendors/pureos/main/data/changes-file/derivative-versions:
+ [CL] Ensure that PureOS packages always end with (eg. pureosX).
* vendors/pureos/main/data/fields/derivative-fields:
+ [CL] Add PureOS-specific field name validation, such as ensuring the
Maintainer field is updated to the mailing list.
Checksums-Sha1:
23b4a03ee234691d1782ed1ad30f0afd72567d68 3511 lintian_2.5.82.dsc
461b2cd27743d34eace2cfc7aa6a303d2a3f6506 1552204 lintian_2.5.82.tar.xz
03486e3cbbc513824a6b82a03ce692dd12a5d50f 1114572 lintian_2.5.82_all.deb
f00947157088956762bd64eb4321ed985d8789c9 16044 lintian_2.5.82_amd64.buildinfo
Checksums-Sha256:
80884effdccf99abf5f9c206739171b9c62e8e3cb886ae2d04650320a808a1c5 3511
lintian_2.5.82.dsc
886e5517cf418e8be964845f5903a5618de01567a7a3eefa46084ce27392ebd0 1552204
lintian_2.5.82.tar.xz
b5cbf046be542e399aa53c804e90af85d0825341357b10286ff8465cb21209da 1114572
lintian_2.5.82_all.deb
3bfa13a96a6a0d1ebe067e705d4d14d28331f29bf8a44d8c70190e9ebd822226 16044
lintian_2.5.82_amd64.buildinfo
Files:
ff54798045d05de9fa6adcea72b8ac14 3511 devel optional lintian_2.5.82.dsc
9f4e5575f1c42943fdcdfa0d87d330ff 1552204 devel optional lintian_2.5.82.tar.xz
cef5c06ac39e6330786b45430c94533b 1114572 devel optional lintian_2.5.82_all.deb
1b595aa0cba9575c9dcc5096f12b47c5 16044 devel optional
lintian_2.5.82_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlrPPc4ACgkQHpU+J9Qx
Hli0Hw/+PRxLLVPuPp8yqbRdUV+pXBSJ8r6bgmqS7TxUc15W2UKZ7dgpSgSdUNwB
wzWwd/6nUVqri3bpMJn/eh+RXylvZ/0nqXkd0CeVPCMknbwow8rJbHw8TUuTMZpZ
mupAMszkY2QUjuEW2y0Bew05aFy2Ll7ZMzyhAtyEfQT2k/SCF2+TJnkRebh3DdlJ
dJmxI2qjanPHIEFTVNGa0qizEWUcVixpUITj3OpqeEsxKr+6WnCOV6v5Eic/NXDF
tDx/NO5ce5mv/ZCi4zGcVZQOVJ2MYm1x3KoWz/D88Tey09AlrX7QJkgOK8yeB8kL
UMCj4LhA5e06Z+wbI0WN4Y9BfVFXQEiGzllYdwd88BMsVRzL15m0Djl0Jgn4KpGH
h7DwXZm324gSkf+/UY/zZgQEvVYg7UJ8qFJuXNCwEISlCvZSTirCxlPd/lIRcK0A
7YvLFZlC5EPDyHKb76AJo9yneeFdBHtwSfRpDuvE7jYMPpRg4GDmFMwDy/K2xy1S
qSBfCsAihC+iKDI7IotaJ4G+/qMCazmysdI8/ZaE4X7YxEVqEZKkfoa+SbC0czWT
tTFKpPAKjZX+TEBKCXeVy6KKyEAhS6sXKN7PAB0V+Vy48Ka17MQ3+TIowJe1VoOx
kRzJy8qBjrBIjjcuXvo2pqaCmCnDAgIdIoMcoybFi5fL9zmrqbM=
=exAG
-----END PGP SIGNATURE-----
--- End Message ---
