[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#533618: marked as done ([collection/strings] fails on setuid/setgid/sticky files when run as root)



Your message dated Thu, 09 Jul 2009 16:17:34 +0000
with message-id <E1MOwJS-0003Kh-Jf@ries.debian.org>
and subject line Bug#533618: fixed in lintian 2.2.13
has caused the Debian Bug report #533618,
regarding [collection/strings] fails on setuid/setgid/sticky files when run as root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
533618: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533618
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.2.10
Severity: normal
Tags: patch

Hi,

Thanks a lot for working on lintian!

In version 2.2.10, the list of files examined by collection/strings was
limited to those containing ":<whitespace>ELF" to avoid false positives.
However, this kind of fails on packages containing setuid, setgid, or
sticky binaries *only when the lintian test is run as root*.

Of course, I realize that running lintian as root is discouraged, but
that's what pbuilder does by default, and IMHO there's no harm in
supporting it with a simple change such as the following patch :)
I'm reporting the bug against lintian-2.2.10 in squeeze, but it is also
present (and the patch is against) unstable's 2.2.12.  I hope that
this bug won't prevent the migration of 2.2.12 to squeeze, which would
be desirable because of the support for Policy 3.8.2 :>

Keep up the good work!

G'luck,
Peter

*** strings-on-setid-files.patch
Fix strings run as root on setuid, setgid, or sticky executables.

diff -urN lintian-2.2.12/collection/strings lintian-2.2.12-roam/collection/strings
--- lintian-2.2.12/collection/strings	2009-06-19 03:22:54.000000000 +0300
+++ lintian-2.2.12-roam/collection/strings	2009-06-19 13:01:40.000000000 +0300
@@ -27,7 +27,7 @@
 [ ! -f elf-index ] || rm -f elf-index
 exec >elf-index
 
-for bin in $(sed -rn 's/:\s+\bELF\b.+$//g;T;p' file-info); do
+for bin in $(sed -rn 's/:\s+((set[ug]id|sticky)\s+)*\bELF\b.+$//g;T;p' file-info); do
     echo "$bin"
     case $bin in
       /usr/lib/debug/*)


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lintian depends on:
ii  binutils               2.19.1-1          The GNU assembler, linker and bina
ii  diffstat               1.47-1            produces graph of changes introduc
ii  dpkg-dev               1.15.2            Debian package development tools
ii  file                   5.03-1            Determines file type using "magic"
ii  gettext                0.17-6            GNU Internationalization utilities
ii  intltool-debian        0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii  libipc-run-perl        0.82-1            Perl module for running processes
ii  libparse-debianchangel 1.1.1-2           parse Debian changelogs and output
ii  libtimedate-perl       1.1600-9          Time and date functions for Perl
ii  liburi-perl            1.37+dfsg-1       Manipulates and accesses URI strin
ii  man-db                 2.5.5-2           on-line manual pager
ii  perl [libdigest-sha-pe 5.10.0-23         Larry Wall's Practical Extraction 

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch            2.19.1-1   Binary utilities that support mult
ii  libtext-template-perl         1.45-1     Text::Template perl module
ii  man-db                        2.5.5-2    on-line manual pager

-- no debconf information

Attachment: pgpNlg9J8xhmT.pgp
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.2.13

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:

lintian_2.2.13.dsc
  to pool/main/l/lintian/lintian_2.2.13.dsc
lintian_2.2.13.tar.gz
  to pool/main/l/lintian/lintian_2.2.13.tar.gz
lintian_2.2.13_all.deb
  to pool/main/l/lintian/lintian_2.2.13_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 533618@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Jul 2009 09:11:14 -0700
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.2.13
Distribution: unstable
Urgency: low
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 lintian    - Debian package checker
Closes: 516530 533618 534134 534139 534141 534212 534218 534234 534276 534326 534580 534640 534684 534942 535308 535432 535566 535582
Changes: 
 lintian (2.2.13) unstable; urgency=low
 .
   The "triggerized install-info" release.
 .
   * Summary of tag changes:
     + Added:
       - install-info-used-in-maintainer-script
       - package-contains-info-dir-file
     + Removed:
       - info-documents-not-removed
       - install-info-not-called-with-quiet-option
       - missing-comma-after-substvar
       - postrm-calls-install-info
       - preinst-calls-install-info
 .
   * checks/control-file{,.desc}:
     + [RA] Rework missing-separator-between-lines to only include two
       specific package stanzas in the extra tag data and not include
       newlines.  Generalize it to also detect missing commas between
       substvars, replacing missing-comma-after-substvar.
   * checks/cruft{,.desc}:
     + [RA] Don't warn about outdated libtool if the package build-depends
       on libtool.  Thanks, Kurt Roeckx.  (Closes: #534134)
     + [RA] Fix typo in *-contains-ht-tags-file description.  Patch from
       Peter Pentchev.  (Closes: #534218)
   * checks/fields:
     + [ADB] If the Debian r-cran makefile include is used in the rules file,
       cdbs, debhelper and r-base-dev are required in Build-Depends.  Thanks,
       Charles Plessy.  (Closes: #534684)
     + [RA] Allow variable settings before ant, dpatch, and dh when
       checking debian/rules for dependencies.  Thanks, Ryan Niebur.
       (Closes: #535432)
   * checks/files{,.desc}:
     + [RA] Allow non-core Python packages to install files into
       /usr/lib/python*/dist-packages, the extension location for Python
       2.6 and later.  Thanks, Julian Andres Klode.  (Closes: #534212)
     + [RA] Check for /usr/share/info/dir files included in the package.
       Thanks, Bas Zoetekouw.  (Closes: #535566)
   * checks/infofiles{,.desc}:
     + [RA] Ignore dir files; they're a different error that's now caught
       by checks/files.
     + [RA] Remove all checking of maintainer scripts, since info dir
       entries are now handled with triggers.  Now always warn of info
       files without INFO-DIR-SECTION, even if install-info were called
       with a --section argument.  Warn of info files without a DIR-ENTRY
       section.  Thanks, Raphaël Hertzog.  (Closes: #534640)
     + [RA] Fix a bug in the detection of bad info file extensions that
       missed extensions containing the string "info".
     + [RA] Improve the long descriptions of tags about compression of info
       documents.
   * checks/init.d:
     + [RA] Take into account dangling symlinks in /etc/init.d.  Patch from
       Raphael Geissert.  (Closes: #534139)
     + [RA] Don't require symlink init scripts to be conffiles and realize
       they are included in the package even if the symlink is dangling.
       Thanks, Steve Langasek.  (Closes: #534326)
   * checks/manpages:
     + [RA] Don't warn about hyphens used as minus signs inside draft mode,
       since \- cannot be used there.  Based on a patch by Gennaro Oliva.
       (Closes: #535308)
   * checks/patch-systems:
     + [RA] Don't include the package name as extra data in tags that are
       only issued for source packages.  Patch from Raphael Geissert.
   * checks/scripts{,.desc}:
     + [RA] Lower certainty of read-in-maintainer-script to possible and
       mention false positives.  Thanks, Raphaël Hertzog.  (Closes: #534276)
     + [RA] Allow for output redirection when parsing diversions in
       maintainer scripts.  Thanks, Andreas Beckmann.  (Closes: #534942)
     + [ADB] Detect the use of the "source" bashism when the sourced filename
       contains a tilde or consists of a single character.  Thanks, Raphael
       Geissert and Ryan Niebur.
     + [RA] Avoid a false positive in the bashism check for trap with
       signal numbers when the the trap command contains a number.  Thanks,
       Julien Cristau.  (Closes: #534580)
     + [RA] Check for any maintainer script running install-info, since
       this is now handled with triggers.
   * checks/watch-file:
     + [RA] Use a consistent way of displaying the line number of a problem.
 .
   * collection/strings:
     + [ADB] Handle the fact that, when Lintian is run as root, the output of
       "file" on set[gu]id files may include the fact that they are set[gu]id.
       Thanks, Peter Pentchev.  (Closes: #533618)
 .
   * lib/Read_pkglists.pm:
     + [RA] Increment the package list format and expect the archive area
       as an additional argument.  Patch from Raphael Geissert.
   * lib/Spelling.pm:
     + [RA] Add changes misspelling.
     + [RA] Fix correction for endianness.  Thanks, Raphael Geissert.
       (Closes: #535582)
     + [RA] Only strip most punctuation from the end of each word, not from
       anywhere in the string.  We don't want to strip the period from
       res.size.  Thanks, Zack Weinberg.  (Closes: #534234)
   * lib/Tags.pm:
     + [RA] Replace all newlines in tag data with \n, not just the first.
       (Closes: #534141)
 .
   * man/lintian.1:
     + [RA] The archive area may be a comma-separated list of areas.  Patch
       from Raphael Geissert.
 .
   * private/update-coverage:
     + [RA] Provide a breakdown of tags only covered in the legacy test
       suite by test name.
 .
   * reporting/html_reports:
     + [RA] Change area back to section in the loop for generating the
       package index pages to be consistent with the page template.
     + [RA] Allow for multiple archive areas in the front page summary.
     + [RA] Add the archive area to the tag information.
   * reporting/templates/maintainer.tmpl:
     + [RA] Include the archive area in the source package heading if it's
       not main.  Include the archive area in the binary package heading if
       it's different than the source package archive area.
 .
   * unpack/list-{bin,src,udeb}pkg:
     + [RA] Collect information from multiple archive areas and include the
       archive area in the package list.  Patch from Raphael Geissert.
       (Closes: #516530)
Checksums-Sha1: 
 a335e888b483160766ee0602bc3f226530dbbac9 1167 lintian_2.2.13.dsc
 28b0275245d555fb2b7d72a40c691ea873eb65f0 722385 lintian_2.2.13.tar.gz
 b4fb1e784f44f5836441c707cdd3364526081b79 462854 lintian_2.2.13_all.deb
Checksums-Sha256: 
 35afe2ca26173e8f85b5a8da3de97b624b08dd74a69f8912fd64d99c05e90376 1167 lintian_2.2.13.dsc
 4687a24dddc127236466c06d8e4a36476553c0056d54f552d9c200b3027191e0 722385 lintian_2.2.13.tar.gz
 3501496ceddad214f4ff3d9bed5d80c0395b25b62aa415b9fd8d63c1ac475915 462854 lintian_2.2.13_all.deb
Files: 
 43ad42077220df7dfab500621579b181 1167 devel optional lintian_2.2.13.dsc
 c3cdf4c47ae2ce26e28045990e297989 722385 devel optional lintian_2.2.13.tar.gz
 0b5bac0161affb748236d632eeab9a1a 462854 devel optional lintian_2.2.13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpWF7oACgkQ+YXjQAr8dHalswCgi//qwHJ1YlKq71YRi5T4Mjm5
Oc4AoIVcKYbp4HwlAElAVBwshOrOxrFm
=V1sp
-----END PGP SIGNATURE-----



--- End Message ---

Reply to: