Your message dated Sat, 16 Feb 2013 13:47:32 +0000 with message-id <E1U6i72-00059W-M7@franck.debian.org> and subject line Bug#696230: fixed in lintian 2.5.10.4 has caused the Debian Bug report #696230, regarding lintian: Signed Debian control block parsing can be fooled to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 696230: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696230 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: lintian: Signed Debian control block parsing can be fooled
- From: Guillem Jover <guillem@debian.org>
- Date: Tue, 18 Dec 2012 13:24:58 +0100
- Message-id: <20121218122458.GA418@gaara.hadrons.org>
Package: lintian Version: 2.5.12 Severity: important File: lib/Lintian/Util.pm User: ansgar@debian.org Usertags: gpg-clearsign Hi! The current parsing code in visit_dpkg_paragraph() does not correctly parse Armor Header Lines (as per RFC4880), which can make it get very confused on hostile files, like external .dsc or .changes. An example bogus file is attached, other variants are possible by changing the structure of the bogus markers and their content. Compare lintian ouput with what gpg outputs with: $ touch something_2.5.11.tar.gz $ lintian -ciI bogus.dsc dpkg-source: error: unrecognized file for a native source package: something_2.5.11.tar.gz internal error: dpkg-source -x failed with status 2 at /usr/share/perl5/Lintian/Util.pm line 846. warning: collect info unpacked about package bogus failed warning: skipping check of source package bogus $ gpg -o - bogus.dsc [...] Ansgar has been filing this kind of bugs, and pointed out to #695855. Thanks, Guillem-----BEGIN PGP SIGNED MESSAGE Format: 3.0 (native) Source: bogus Binary: bogus Architecture: all Version: 2.5.11 Maintainer: Someone Else <someone@example.org> Standards-Version: 3.9.4 Files: d41d8cd98f00b204e9800998ecf8427e 0 something_2.5.11.tar.gz -----BEGIN PGP SIGNATURE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 3.0 (native) Source: lintian Binary: lintian Architecture: all Version: 2.5.11 Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org> Uploaders: Josip Rodin <joy-packages@debian.org>, Colin Watson <cjwatson@debian.org>, Russ Allbery <rra@debian.org>, Adam D. Barratt <adam@adam-barratt.org.uk>, Raphael Geissert <geissert@debian.org>, Niels Thykier <niels@thykier.net> Standards-Version: 3.9.4 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=lintian/lintian.git Vcs-Git: git://anonscm.debian.org/lintian/lintian.git Build-Depends: binutils, bzip2, cdbs, debhelper (>= 9), default-jdk, diffstat, docbook-utils, docbook-xml, dpkg-dev (>= 1.16.1~), fakeroot, file, gettext, hardening-includes (>= 2.0), intltool-debian, javahelper (>= 0.32~), libapt-pkg-perl, libarchive-zip-perl, libc-bin (>= 2.13) | locales, libclass-accessor-perl, libclone-perl, libdpkg-perl, libdigest-sha-perl, libemail-valid-perl, libhtml-parser-perl, libipc-run-perl, libparse-debianchangelog-perl, libtest-minimumversion-perl, libtest-pod-coverage-perl, libtest-pod-perl, libtest-strict-perl, libtest-synopsis-perl, libtext-levenshtein-perl, libtext-template-perl, libtimedate-perl, liburi-perl, man-db, patchutils, perl, perl (>= 5.12) | libtest-simple-perl (>= 0.93), python, python-all-dev, python-numpy, quilt, rsync, t1utils, unzip, xz-utils, xz-utils (>= 5.1.1alpha+20120614) | xz-lzma | lzma, zip Package-List: lintian deb devel optional Checksums-Sha1: c83143fc76461efbdfd687ea63964c650de9511e 1140318 lintian_2.5.11.tar.gz Checksums-Sha256: 91f96295eac39c4711a1e53715f9c4324539665ef8aa4c1500af5ba5efd39cd5 1140318 lintian_2.5.11.tar.gz Files: 90000a9fc6b5a7061f63154a946f9b79 1140318 lintian_2.5.11.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQx6VFAAoJEAVLu599gGRC4RoQAKfu7Aex+SQaKEGa7XAYWAdn jySebBskYgZZP8udnU+xl3MgfErHkgTX6mAgDocJCbDeK5MQtTz/jYudrEAthYFm JeZxR28VdP9RXFcuAo0jq3Qiv8x55rnHtUiX0ke/ObINckD24qwVMQdnKPRXo4b/ Uyo5zvd13zmJvl3OYqu747mH7MYNSU3m6Wt9CbOpz/V6tSWEZb2PblN+cFj9PIxY iJRfGvb5c9Cb8/6vMxiuInP5+3asid8o/fdto3MLUOYJzrdCcw5bRj+wxdcDFnNQ BZdBbGARg9mMG5K+zZjbuQRC2PmeTm4Qgc/4vTdBeBHyaOYCVMCc5xro/9my10IN 1cmMWUS7YGLBwJf03yhjO26GTVftdUpByxyRFOy3+YCy1WBHX45e9msUdrayWjRu 68rCIRtlBCzwQZ+GN2ZjzjgLwzWxq0nZHEb2TUS8/IId5ECOs3D7zsyrBqkr2WNm bethycpo3hlsjw9iAMM9IQwQqKPVmoJV6b/1UPpMh2ErMo+sVMlErtUai8r0VcZA i79gqF6TlIRlgoPmEHq1RIM3RItcp1Nhmg0cJ/NAMe6+euQfLmv5ilbF0lA80WQw wZzL5VfZzX0SsYufvHiyanEJWRN8lttKSldxaMRNLPXlRZQrFwFN7azw7ThRk/JA x2MBOVbBpM428SMVf7zu =1UmQ -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
- To: 696230-close@bugs.debian.org
- Subject: Bug#696230: fixed in lintian 2.5.10.4
- From: Niels Thykier <niels@thykier.net>
- Date: Sat, 16 Feb 2013 13:47:32 +0000
- Message-id: <E1U6i72-00059W-M7@franck.debian.org>
Source: lintian Source-Version: 2.5.10.4 We believe that the bug you reported is fixed in the latest version of lintian, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 696230@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niels Thykier <niels@thykier.net> (supplier of updated lintian package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 16 Feb 2013 14:17:03 +0100 Source: lintian Binary: lintian Architecture: source all Version: 2.5.10.4 Distribution: unstable Urgency: low Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org> Changed-By: Niels Thykier <niels@thykier.net> Description: lintian - Debian package checker Closes: 695866 696230 698602 Changes: lintian (2.5.10.4) unstable; urgency=low . * checks/init.d: + [NT] Fix regression where Lintian would not properly match init.d passed to update-rc.d. Thanks to Michael Meskes for reporting. (Closes: #698602) . * lib/Lintian/Collect/Package.pm: + [NT] Ensure the "root" entry of indices do not contain itself. (Closes: #695866) * lib/Lintian/Util.pm: + [NT] Reject partially signed Deb822 files. Most Deb822 files are not signed at all; but those that are should be completely covered by a signature. (Closes: #696230) + [ADB] Fix a typo in the matching of expected delimiters for some signed messages; thanks Samuel Bronson. Checksums-Sha1: a541a224400bbc0aefe02c58632fdcf45898cea9 2564 lintian_2.5.10.4.dsc bc05a90de231dce5cfbc0c2fba1c3042408c7bdf 1099969 lintian_2.5.10.4.tar.gz 7e68a82e21defc9cf2740560770b664feef8809a 708946 lintian_2.5.10.4_all.deb Checksums-Sha256: b5c0c59c7056e60f6acc8c33a0cdbce118f4ccea724169ec4fae278ba9e7ae63 2564 lintian_2.5.10.4.dsc d6b174b89efd1035821fa25121aebe46eb079d5cce025f1a5c68c1cb4647bdb2 1099969 lintian_2.5.10.4.tar.gz bdb1375de2b0857f5088964fe22cb7b1d6fba9418a5b3fef9af0d10b722fbb81 708946 lintian_2.5.10.4_all.deb Files: 390bb8279734aa3a366e0836a8f4a631 2564 devel optional lintian_2.5.10.4.dsc 1b92d5e6f1c9c3791cb8eea2269dd28f 1099969 devel optional lintian_2.5.10.4.tar.gz 83c471d79fb0a6659d5a27e521d44cbd 708946 devel optional lintian_2.5.10.4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRH4xQAAoJEAVLu599gGRCD4oP/2WWhDOOb3x0xCKLmwqBuyaE fV9dgYNzJ8qdDD1X99TnjRD5TEVoXySNpHmc3g2PakRRt6Gs08rfwshkN8sRMGU9 mDgB/pT4FUgvdq7b882IdJv34AOEP/nxxpcV++SbLjXQKpbaJZnKVGaQNKN4Q0P4 4F4fLRwAlykmB8yPe2/gQZKOXRUk7SEpGrwnGg3wppwg3UUEeGinAg/GZDdkUBKg +59XOTYi5du6cLwCf5Q00sgeBWvfzXFPZalC2PW9VTaj3Aajb2wd0yeMyZnuX73l PJfxuQBlHNmm73RcAHsQ4VLSHzQQaqCfC0RnnGPxN2wPhVn5zNjI8gDL6/FeDsUP xb4FFGqSSvwPMxkzoq0yYpSxPlied0dwl0halUiGtq/0M4n+MH3wwH+Xa4hAYZg9 e9QHllqYEOlZh29TTQ6HYAuBxJNVeKSs9zBS+Ikfq3CwGW13yy3vDFWsff/eIJ8T 8ZJdjaln+h+MhAxIuFokbdctbp4xDiIiDne1u6GQB5B8fyYDhugukxbbmpGFRIaE EccuGCfFcV3ze3sHaPvfOz0bM4FIj98mM2AJKXKmX6Gq3/+/ijI8w5outuFUeKa/ Dr8BP5NjGmEtb9EkRWyX1CyWj1tsrFHMrhklwmqWoQ0aJ2WGYMU7t6nv88Mxt3Qa HKQgqPGTipl6qOHsmaRt =vVDe -----END PGP SIGNATURE-----
--- End Message ---