This is an automated email from the git hooks/post-receive script. lamby pushed a commit to branch master in repository lintian.
commit e46b47690c6018847c48e05d2162562f16bb87e6 Author: Chris Lamb <la...@debian.org> Date: Fri Feb 2 08:26:45 2018 +0000 Warn if the maintainer scripts include "chown -R" or "chmod -R" to prevent hardlink attacks on kernels that do not have fs.protected_hardlinks=1. (Closes: #889066) --- checks/scripts.desc | 8 ++++++++ data/scripts/maintainer-script-bad-command | 1 + debian/changelog | 4 ++++ t/tests/scripts-maintainer-general/debian/debian/postinst | 11 +++++++++++ t/tests/scripts-maintainer-general/desc | 1 + t/tests/scripts-maintainer-general/tags | 9 +++++++++ 6 files changed, 34 insertions(+) diff --git a/checks/scripts.desc b/checks/scripts.desc index a6dbedc..1ed01eb 100644 --- a/checks/scripts.desc +++ b/checks/scripts.desc @@ -806,3 +806,11 @@ Info: You used <tt>/usr/bin/nodejs</tt> or <tt>/usr/bin/env nodejs</tt> as an . Please update your package to use the <tt>node</tt> variant. Ref: #614907, #862051 + +Tag: maintainer-script-should-not-use-recursive-chown-or-chmod +Severity: normal +Certainty: certain +Info: The maintainer script appears to call <tt>chmod</tt> or <tt>chown</tt> + with the recursive <tt>-R</tt> argument. This is vulnerable to hardlink + attacks on kernels that do not have <tt>fs.protected_hardlinks=1</tt> +Ref: #889060 diff --git a/data/scripts/maintainer-script-bad-command b/data/scripts/maintainer-script-bad-command index f0fcc3a..ef5a159 100644 --- a/data/scripts/maintainer-script-bad-command +++ b/data/scripts/maintainer-script-bad-command @@ -35,6 +35,7 @@ maintainer-script-should-not-use-dpkg-status-directly ~~ 1 ~~^(base-fi maintainer-script-should-not-use-fc-cache ~~ 0 ~~^(fontconfig)$ ~~ ~~${LEADIN}(?:/usr/bin/)?fc-cache(?:\s|\Z) maintainer-script-should-not-use-gconftool ~~ 1 ~~^(gconf\d)$ ~~ ~~(?:/usr/bin/)?gconftool(?:-\d)?(?:\s|\Z) maintainer-script-should-not-use-install-sgmlcatalog ~~ 1 ~~ ~~ ~~\binstall-sgmlcatalog\b +maintainer-script-should-not-use-recursive-chown-or-chmod ~~ 1 ~~ ~~ ~~\b(?:chmod|chown).*(?:-R|--recursive)\b maintainer-script-should-not-use-service ~~ 1 ~~ ~~ ~~${LEADIN}service\b maintainer-script-should-not-use-start-stop-daemon ~~ 0 ~~ ~~ ~~\bstart-stop-daemon(?=\s)(?!.*\s--stop\b) maintainer-script-should-not-use-update-alternatives-remove ~~ 1 ~~ ~~^postrm$ ~~\b update\-alternatives\s+\-\-remove\b diff --git a/debian/changelog b/debian/changelog index 19cff1b..4aa6a9c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -76,6 +76,10 @@ lintian (2.5.73) UNRELEASED; urgency=medium * data/files/python-generic-modules: + [CL] Detect "backports" (and "backport") as overly generic Python module names. (Closes: #888559) + * data/scripts/maintainer-script-bad-command: + + [CL] Warn if the maintainer scripts include "chown -R" or "chmod -R" + to prevent hardlink attacks on kernels that do not have + fs.protected_hardlinks=1. (Closes: #889066) * lib/Lintian/*: + [CL] Add support for passing .buildinfo files to Lintian. diff --git a/t/tests/scripts-maintainer-general/debian/debian/postinst b/t/tests/scripts-maintainer-general/debian/debian/postinst index f8d349b..706d7cf 100755 --- a/t/tests/scripts-maintainer-general/debian/debian/postinst +++ b/t/tests/scripts-maintainer-general/debian/debian/postinst @@ -206,4 +206,15 @@ if [ -d /usr/share/doc/tworld ]; then fi fi +chown root:root /good +chmod 777 /good +chown -R root:root /bad +chown root:root -R /bad +chown root:root --recursive /bad +chown --recursive root:root /bad +chmod -R 777 /bad +chmod 777 -R /bad +chmod 777 --recursive /bad +chmod --recursive 777 /bad + #DEBHELPER# diff --git a/t/tests/scripts-maintainer-general/desc b/t/tests/scripts-maintainer-general/desc index bfdca94..3132808 100644 --- a/t/tests/scripts-maintainer-general/desc +++ b/t/tests/scripts-maintainer-general/desc @@ -25,6 +25,7 @@ Test-For: maintainer-script-should-not-use-install-sgmlcatalog maintainer-script-should-not-modify-ld-so-conf maintainer-script-should-not-modify-netbase-managed-file + maintainer-script-should-not-use-recursive-chown-or-chmod maintainer-script-should-not-use-start-stop-daemon maintainer-script-should-not-use-service maintainer-script-should-not-use-update-alternatives-remove diff --git a/t/tests/scripts-maintainer-general/tags b/t/tests/scripts-maintainer-general/tags index 8a8b143..2813747 100644 --- a/t/tests/scripts-maintainer-general/tags +++ b/t/tests/scripts-maintainer-general/tags @@ -41,6 +41,15 @@ W: scripts-maintainer-general: maintainer-script-should-not-use-deprecated-chown W: scripts-maintainer-general: maintainer-script-should-not-use-fc-cache postinst:95 W: scripts-maintainer-general: maintainer-script-should-not-use-gconftool postinst:155 W: scripts-maintainer-general: maintainer-script-should-not-use-gconftool postinst:44 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:211 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:212 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:213 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:214 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:215 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:216 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:217 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:218 +W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:84 W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:138 W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:78 W: scripts-maintainer-general: maintainer-script-should-not-use-update-alternatives-remove postrm:7 -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git