[SCM] Debian package checker branch, master, updated. 2.5.4-155-gde0a7d4

To: debian-lint-maint@lists.debian.org
Subject: [SCM] Debian package checker branch, master, updated. 2.5.4-155-gde0a7d4
From: "Niels Thykier" <niels@thykier.net>
Date: Wed, 08 Feb 2012 16:17:01 +0000
Message-id: <[🔎] E1RvACb-0006ip-GZ@vasks.debian.org>
The following commit has been merged in the master branch:
commit de0a7d44ebc86c8bb28d8b667e0c6bddb138fdde
Author: Jakub Wilk <jwilk@debian.org>
Date:   Wed Feb 8 17:12:37 2012 +0100

    Check for ELF binaries in unsafe paths in M-A same packages
    
    Modification to original patch:
     * Also assume "/.build-id/" dirs to be safe.
    
    Signed-off-by: Niels Thykier <niels@thykier.net>

diff --git a/checks/binaries b/checks/binaries
index d9b8664..47bec4b 100644
--- a/checks/binaries
+++ b/checks/binaries
@@ -128,7 +128,10 @@ my $info = shift;
 my $proc = shift;
 
 my $arch;
+my $multiarch;
 my $madir;
+my $gnu_triplet_re;
+my $ruby_triplet_re;
 my $dynsyms = 0;
 my $needs_libc = '';
 my $needs_libc_file;
@@ -140,6 +143,7 @@ my $has_php_ext = 0;
 my %SONAME;
 
 $arch = $info->field('architecture')//'';
+$multiarch = $info->field('multi-arch')//'no';
 my $srcpkg = $proc->pkg_src()//'';
 
 foreach my $file (sort keys %{$info->objdump_info}) {
@@ -184,11 +188,18 @@ foreach my $file (sort keys %{$info->objdump_info}) {
 # nsswitch modules
 $madir = $MULTIARCH_DIRS->value($arch);
 
-# In the (unlikely) case that the architecture is unknown (or we do
+# In the case that the architecture is "all" or unknown (or we do
 # not know the multi-arch path for a known architecture) , we assume
 # it the multi-arch path to be this (hopefully!) non-existent path to
 # avoid warnings about uninitialized variables.
 $madir = './!non-existant-path!/./' unless defined $madir;
+
+$gnu_triplet_re = quotemeta $madir;
+$gnu_triplet_re =~ s,^i386,i[3-6]86,;
+$ruby_triplet_re = $gnu_triplet_re;
+$ruby_triplet_re =~ s,linux\\-gnu$,linux,;
+$ruby_triplet_re =~ s,linux\\-gnu,linux\\-,;
+
 sub lib_soname_path {
     my ($dir, @paths) = @_;
     foreach my $path (@paths) {
@@ -266,6 +277,12 @@ foreach my $file (@{$info->sorted_file_info}) {
         tag 'arch-dependent-file-in-usr-share', $file;
     }
 
+    if ($multiarch eq 'same') {
+        unless ($file =~ m,/(?:$gnu_triplet_re|$ruby_triplet_re|java-\d+-openjdk-\Q$arch\E|\.build-id)/,) {
+            tag 'arch-dependent-file-not-in-arch-specific-directory', $file;
+        }
+    }
+
     # ELF?
     next unless $fileinfo =~ m/^[^,]*\bELF\b/o;
 
diff --git a/checks/binaries.desc b/checks/binaries.desc
index 9054908..0fc77bf 100644
--- a/checks/binaries.desc
+++ b/checks/binaries.desc
@@ -113,6 +113,13 @@ Ref: fhs usrsharearchitectureindependentdata
 Info: This package installs an ELF binary in the <tt>/usr/share</tt>
  hierarchy, which is reserved for architecture-independent files.
 
+Tag: arch-dependent-file-not-in-arch-specific-directory
+Severity: serious
+Certainty: possible
+Ref: https://wiki.ubuntu.com/MultiarchSpec
+Info: This package is Multi-Arch "same", but it installs an ELF binary in the
+ directory that is not architecture-specific.
+
 Tag: binary-in-etc
 Severity: serious
 Certainty: certain
diff --git a/debian/changelog b/debian/changelog
index 75de66e..7aae8f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ lintian (2.5.5) UNRELEASED; urgency=low
 
   * Summary of tag changes:
     + Added:
+      - arch-dependent-file-not-in-arch-specific-directory
       - control-file-contains-dh_make-vcs-comment
       - debhelper-compat-file-is-missing
       - dependency-is-not-multi-archified
@@ -29,8 +30,10 @@ lintian (2.5.5) UNRELEASED; urgency=low
     + [NT] Fixed assumptions about certain fields being present.
       Where needed, Lintian will make guesses to the most likely
       value (or the least "broken" value).
-  * checks/binaries:
+  * checks/binaries{,.desc}:
     + [NT] Allow libnss_* plugins in usr/lib.
+    + [JW] Check for ELF binaries installed in unsafe paths in
+      Multi-Arch: same packages.  (Closes: #650445)
   * checks/control-file{,.desc}:
     + [NT] Allow "pkg (= ${source:Version})" versioned dependency if
       pkg is architecture all.  This fixes a false-positive
diff --git a/t/tests/binaries-missing-depends-on-libc/debian/Makefile b/t/tests/binaries-multiarch-same/debian/Makefile
similarity index 83%
copy from t/tests/binaries-missing-depends-on-libc/debian/Makefile
copy to t/tests/binaries-multiarch-same/debian/Makefile
index ed44e4a..889f388 100644
--- a/t/tests/binaries-missing-depends-on-libc/debian/Makefile
+++ b/t/tests/binaries-multiarch-same/debian/Makefile
@@ -1,8 +1,8 @@
+
 all:
 	gcc -fPIC -shared -Wl,-z,defs -Wl,-soname,libbasic.so.2 -o libbasic.so.2 basic.c
 
 install:
-	# install it under the correct triplet directory
 	install -d $(DESTDIR)/usr/lib/
 	install -m 644 -c -s libbasic.so.2 $(DESTDIR)/usr/lib/libbasic.so.2
 
diff --git a/t/tests/binaries-missing-depends-on-libc/debian/basic.c b/t/tests/binaries-multiarch-same/debian/basic.c
similarity index 100%
copy from t/tests/binaries-missing-depends-on-libc/debian/basic.c
copy to t/tests/binaries-multiarch-same/debian/basic.c
diff --git a/t/tests/binaries-multiarch/debian/debian/control.in b/t/tests/binaries-multiarch-same/debian/debian/control.in
similarity index 97%
copy from t/tests/binaries-multiarch/debian/debian/control.in
copy to t/tests/binaries-multiarch-same/debian/debian/control.in
index 28b4016..d60094e 100644
--- a/t/tests/binaries-multiarch/debian/debian/control.in
+++ b/t/tests/binaries-multiarch-same/debian/debian/control.in
@@ -9,6 +9,7 @@ Package: libbasic2
 Architecture: any
 Pre-Depends: $\{misc:Pre-Depends\}, multiarch-support
 Depends: $\{misc:Depends\}, $\{shlibs:Depends\}
+Multi-Arch: same
 Description: {$description}
  This is a test package designed to exercise some feature or tag of
  Lintian.  It is part of the Lintian test suite and may do very odd
@@ -19,3 +20,5 @@ Description: {$description}
  older versions of debhelper might not use it yet.  dpkg-dev will
  remove the duplicate entry (if any).
 
+
+
diff --git a/t/tests/binaries-missing-depends-on-libc/debian/debian/libbasic2.symbols b/t/tests/binaries-multiarch-same/debian/debian/libbasic2.symbols
similarity index 100%
copy from t/tests/binaries-missing-depends-on-libc/debian/debian/libbasic2.symbols
copy to t/tests/binaries-multiarch-same/debian/debian/libbasic2.symbols
diff --git a/t/tests/binaries-multiarch-same/desc b/t/tests/binaries-multiarch-same/desc
new file mode 100644
index 0000000..f831308
--- /dev/null
+++ b/t/tests/binaries-multiarch-same/desc
@@ -0,0 +1,5 @@
+Testname: binaries-multiarch-same
+Sequence: 6000
+Version: 1.0
+Description: Test of multiarch same package with unsafe binaries
+Test-For: arch-dependent-file-not-in-arch-specific-directory
diff --git a/t/tests/binaries-multiarch-same/tags b/t/tests/binaries-multiarch-same/tags
new file mode 100644
index 0000000..74b8b03
--- /dev/null
+++ b/t/tests/binaries-multiarch-same/tags
@@ -0,0 +1 @@
+E: libbasic2: arch-dependent-file-not-in-arch-specific-directory usr/lib/libbasic.so.2

-- 
Debian package checker
Reply to:
Prev by Date: Newsletter Avida
Next by Date: Processed: forcibly merging 650445 659017
Previous by thread: Newsletter Avida
Next by thread: Processed: forcibly merging 650445 659017
Index(es):
- Date
- Thread