[SCM] Debian package checker branch, master, updated. 2.2.6-3-g5fa2f2e
The following commit has been merged in the master branch:
commit 0bd98ad570e514d1035d60ef220012275ca7b86c
Author: Raphael Geissert <atomo64@gmail.com>
Date: Sun Feb 22 03:06:30 2009 -0600
Check ELF objects for embedded copies of zlib
diff --git a/checks/binaries b/checks/binaries
index 9088b7e..ddd9bf0 100644
--- a/checks/binaries
+++ b/checks/binaries
@@ -247,6 +247,11 @@ foreach my $file (sort keys %{$info->file_info}) {
my $strings = slurp_entire_file("strings/$file");
spelling_check('spelling-error-in-binary', $strings, $file);
+ if ($pkg !~ m/^zlib.+/
+ and $strings =~ /(?:in|de)flate (?:\d[ \w.\-]{1,20}[\w.\-])/m) {
+ tag "embedded-zlib", $file;
+ }
+
# binary or shared object?
next unless ($fileinfo =~ m/executable/) or ($fileinfo =~ m/shared object/);
next if $type eq 'udeb';
diff --git a/checks/binaries.desc b/checks/binaries.desc
index a64857b..a7d82b0 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -217,3 +217,11 @@ Experimental: yes
Info: Lintian found a spelling error in the given binary. Lintian has a list
of common misspellings that it looks for. It does not have a dictionary
like a spelling checker does.
+
+Tag: embedded-zlib
+Severity: important
+Certainty: certain
+Info: The given ELF object appears to have been statically linked to zlib.
+ Doing this is discouraged due to the extra work needed by the security team
+ to fix all the extra embedded copies or trigger the package rebuilds, as
+ appropriate.
diff --git a/t/tests/binaries-from-other-arch/debian/debian/install b/t/tests/binaries-embedded-zlib/debian/debian/install
similarity index 100%
copy from t/tests/binaries-from-other-arch/debian/debian/install
copy to t/tests/binaries-embedded-zlib/debian/debian/install
diff --git a/t/tests/binaries-embedded-zlib/debian/debian/rules b/t/tests/binaries-embedded-zlib/debian/debian/rules
new file mode 100755
index 0000000..4ae2893
--- /dev/null
+++ b/t/tests/binaries-embedded-zlib/debian/debian/rules
@@ -0,0 +1,13 @@
+#!/usr/bin/make -f
+
+DEB_BUILD_OPTIONS := nostrip
+export DEB_BUILD_OPTIONS
+
+%:
+ dh $@
+
+binary:
+ head -n1 /bin/true > debian/elfobject
+ echo "deflate 1.2.3.3 Copyright 1995-2006 Jean-loup Gailly" \
+ >> debian/elfobject
+ dh binary
diff --git a/t/tests/binaries-embedded-zlib/desc b/t/tests/binaries-embedded-zlib/desc
new file mode 100644
index 0000000..9066a3f
--- /dev/null
+++ b/t/tests/binaries-embedded-zlib/desc
@@ -0,0 +1,8 @@
+Testname: binaries-embedded-zlib
+Sequence: 6000
+Architecture: any
+Version: 1.0
+Description: Test package with a pseudo binary with an "embedded" zlib
+Test-For:
+ embedded-zlib
+ apparently-corrupted-elf-binary
diff --git a/t/tests/binaries-embedded-zlib/tags b/t/tests/binaries-embedded-zlib/tags
new file mode 100644
index 0000000..8a3ff8c
--- /dev/null
+++ b/t/tests/binaries-embedded-zlib/tags
@@ -0,0 +1,4 @@
+E: binaries-embedded-zlib: embedded-zlib ./usr/bin/elfobject
+E: binaries-embedded-zlib: statically-linked-binary ./usr/bin/elfobject
+W: binaries-embedded-zlib: apparently-corrupted-elf-binary ./usr/bin/elfobject
+W: binaries-embedded-zlib: binary-without-manpage usr/bin/elfobject
--
Debian package checker
Reply to: