Bug#696230: lintian: Signed Debian control block parsing can be fooled
Package: lintian
Version: 2.5.12
Severity: important
File: lib/Lintian/Util.pm
User: ansgar@debian.org
Usertags: gpg-clearsign
Hi!
The current parsing code in visit_dpkg_paragraph() does not correctly
parse Armor Header Lines (as per RFC4880), which can make it get very
confused on hostile files, like external .dsc or .changes. An example
bogus file is attached, other variants are possible by changing the
structure of the bogus markers and their content. Compare lintian
ouput with what gpg outputs with:
$ touch something_2.5.11.tar.gz
$ lintian -ciI bogus.dsc
dpkg-source: error: unrecognized file for a native source package: something_2.5.11.tar.gz
internal error: dpkg-source -x failed with status 2 at /usr/share/perl5/Lintian/Util.pm line 846.
warning: collect info unpacked about package bogus failed
warning: skipping check of source package bogus
$ gpg -o - bogus.dsc
[...]
Ansgar has been filing this kind of bugs, and pointed out to #695855.
Thanks,
Guillem
-----BEGIN PGP SIGNED MESSAGE
Format: 3.0 (native)
Source: bogus
Binary: bogus
Architecture: all
Version: 2.5.11
Maintainer: Someone Else <someone@example.org>
Standards-Version: 3.9.4
Files:
d41d8cd98f00b204e9800998ecf8427e 0 something_2.5.11.tar.gz
-----BEGIN PGP SIGNATURE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 3.0 (native)
Source: lintian
Binary: lintian
Architecture: all
Version: 2.5.11
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Uploaders: Josip Rodin <joy-packages@debian.org>, Colin Watson <cjwatson@debian.org>, Russ Allbery <rra@debian.org>, Adam D. Barratt <adam@adam-barratt.org.uk>, Raphael Geissert <geissert@debian.org>, Niels Thykier <niels@thykier.net>
Standards-Version: 3.9.4
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=lintian/lintian.git
Vcs-Git: git://anonscm.debian.org/lintian/lintian.git
Build-Depends: binutils, bzip2, cdbs, debhelper (>= 9), default-jdk, diffstat, docbook-utils, docbook-xml, dpkg-dev (>= 1.16.1~), fakeroot, file, gettext, hardening-includes (>= 2.0), intltool-debian, javahelper (>= 0.32~), libapt-pkg-perl, libarchive-zip-perl, libc-bin (>= 2.13) | locales, libclass-accessor-perl, libclone-perl, libdpkg-perl, libdigest-sha-perl, libemail-valid-perl, libhtml-parser-perl, libipc-run-perl, libparse-debianchangelog-perl, libtest-minimumversion-perl, libtest-pod-coverage-perl, libtest-pod-perl, libtest-strict-perl, libtest-synopsis-perl, libtext-levenshtein-perl, libtext-template-perl, libtimedate-perl, liburi-perl, man-db, patchutils, perl, perl (>= 5.12) | libtest-simple-perl (>= 0.93), python, python-all-dev, python-numpy, quilt, rsync, t1utils, unzip, xz-utils, xz-utils (>= 5.1.1alpha+20120614) | xz-lzma | lzma, zip
Package-List:
lintian deb devel optional
Checksums-Sha1:
c83143fc76461efbdfd687ea63964c650de9511e 1140318 lintian_2.5.11.tar.gz
Checksums-Sha256:
91f96295eac39c4711a1e53715f9c4324539665ef8aa4c1500af5ba5efd39cd5 1140318 lintian_2.5.11.tar.gz
Files:
90000a9fc6b5a7061f63154a946f9b79 1140318 lintian_2.5.11.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQx6VFAAoJEAVLu599gGRC4RoQAKfu7Aex+SQaKEGa7XAYWAdn
jySebBskYgZZP8udnU+xl3MgfErHkgTX6mAgDocJCbDeK5MQtTz/jYudrEAthYFm
JeZxR28VdP9RXFcuAo0jq3Qiv8x55rnHtUiX0ke/ObINckD24qwVMQdnKPRXo4b/
Uyo5zvd13zmJvl3OYqu747mH7MYNSU3m6Wt9CbOpz/V6tSWEZb2PblN+cFj9PIxY
iJRfGvb5c9Cb8/6vMxiuInP5+3asid8o/fdto3MLUOYJzrdCcw5bRj+wxdcDFnNQ
BZdBbGARg9mMG5K+zZjbuQRC2PmeTm4Qgc/4vTdBeBHyaOYCVMCc5xro/9my10IN
1cmMWUS7YGLBwJf03yhjO26GTVftdUpByxyRFOy3+YCy1WBHX45e9msUdrayWjRu
68rCIRtlBCzwQZ+GN2ZjzjgLwzWxq0nZHEb2TUS8/IId5ECOs3D7zsyrBqkr2WNm
bethycpo3hlsjw9iAMM9IQwQqKPVmoJV6b/1UPpMh2ErMo+sVMlErtUai8r0VcZA
i79gqF6TlIRlgoPmEHq1RIM3RItcp1Nhmg0cJ/NAMe6+euQfLmv5ilbF0lA80WQw
wZzL5VfZzX0SsYufvHiyanEJWRN8lttKSldxaMRNLPXlRZQrFwFN7azw7ThRk/JA
x2MBOVbBpM428SMVf7zu
=1UmQ
-----END PGP SIGNATURE-----
Reply to: