Bug#601323: lintian: false positive possibly-insecure-handling-of-tmp-files-in-maintainer-script

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#601323: lintian: false positive possibly-insecure-handling-of-tmp-files-in-maintainer-script
From: Jari Aalto <jari.aalto@cante.net>
Date: Mon, 25 Oct 2010 11:14:12 +0300
Message-id: <[🔎] 20101025081412.18904.39899.reportbug@vpn.cante.net>
Reply-to: Jari Aalto <jari.aalto@cante.net>, 601323@bugs.debian.org

Package: lintian
Version: 2.4.3
Severity: minor


For package totd lintian reports:

    W: totd: possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:18

Code in debian/postinst reads:

     1  #! /bin/sh
     2  # postinst script for totd
     3  #
     4  # see: dh_installdeb(1)
     5  
     6  set -e
     7  
     8  . /usr/share/debconf/confmodule
     9  db_version 2.0
    10  
    11  ETC_DEFAULT_TOTD="/etc/default/totd"
    12  
    13  case "$1" in
    14      configure)
    15  
    16          db_get totd/use_ipv6 && use_ipv6="$RET"
    17  
    18          TEMPL="/tmp/totd.default.XXXXXXX"
    19          TEMPFILE=`mktemp $TEMPL`
    20          sed -e "s/^\(OPTION=\)\(.*\)//g; /^$/d" \
    21                  $ETC_DEFAULT_TOTD > $TEMPFILE
    ...


SUGGESTION:

Perhaps the regexp could exempt names that contain uppercase XXXX
letters.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lintian depends on:
ii  binutils               2.20.1-15         The GNU assembler, linker and bina
ii  diffstat               1.53-1            produces graph of changes introduc
ii  dpkg-dev               1.15.8.5          Debian package development tools
ii  file                   5.04-5            Determines file type using "magic"
ii  gettext                0.18.1.1-3        GNU Internationalization utilities
ii  intltool-debian        0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii  libapt-pkg-perl        0.1.24+b1         Perl interface to libapt-pkg
ii  libclass-accessor-perl 0.34-1            Perl module that automatically gen
ii  libipc-run-perl        0.89-1            Perl module for running processes
ii  libparse-debianchangel 1.1.1-2.1         parse Debian changelogs and output
ii  libtimedate-perl       1.2000-1          collection of modules to manipulat
ii  liburi-perl            1.54-1            module to manipulate and access UR
ii  locales                2.11.2-6          Embedded GNU C Library: National L
ii  man-db                 2.5.7-4           on-line manual pager
ii  perl [libdigest-sha-pe 5.10.1-15         Larry Wall's Practical Extraction 

lintian recommends no packages.

Versions of packages lintian suggests:
pn  binutils-multiarch            <none>     (no description available)
ii  libtext-template-perl         1.45-1     Text::Template perl module
ii  man-db                        2.5.7-4    on-line manual pager

-- no debconf information

Reply to:

Prev by Date: Bug#600905: lintian: [PATCH] --help to display options alphanetically
Next by Date: real estate crash - the 2nd wave
Previous by thread: Bug#600905: lintian: [PATCH] --help to display options alphanetically
Next by thread: real estate crash - the 2nd wave
Index(es):
- Date
- Thread