[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#696230: marked as done (lintian: Signed Debian control block parsing can be fooled)



Your message dated Sat, 16 Feb 2013 13:47:32 +0000
with message-id <E1U6i72-00059W-M7@franck.debian.org>
and subject line Bug#696230: fixed in lintian 2.5.10.4
has caused the Debian Bug report #696230,
regarding lintian: Signed Debian control block parsing can be fooled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
696230: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696230
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.12
Severity: important
File: lib/Lintian/Util.pm
User: ansgar@debian.org
Usertags: gpg-clearsign

Hi!

The current parsing code in visit_dpkg_paragraph() does not correctly
parse Armor Header Lines (as per RFC4880), which can make it get very
confused on hostile files, like external .dsc or .changes. An example
bogus file is attached, other variants are possible by changing the
structure of the bogus markers and their content. Compare lintian
ouput with what gpg outputs with:

$ touch something_2.5.11.tar.gz
$ lintian -ciI bogus.dsc
dpkg-source: error: unrecognized file for a native source package: something_2.5.11.tar.gz
internal error: dpkg-source -x failed with status  2 at /usr/share/perl5/Lintian/Util.pm line 846.
warning: collect info unpacked about package bogus failed
warning: skipping check of source package bogus
$ gpg -o - bogus.dsc
[...]

Ansgar has been filing this kind of bugs, and pointed out to #695855.

Thanks,
Guillem
-----BEGIN PGP SIGNED MESSAGE

Format: 3.0 (native)
Source: bogus
Binary: bogus
Architecture: all
Version: 2.5.11
Maintainer: Someone Else <someone@example.org>
Standards-Version: 3.9.4
Files: 
 d41d8cd98f00b204e9800998ecf8427e 0 something_2.5.11.tar.gz

-----BEGIN PGP SIGNATURE
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 3.0 (native)
Source: lintian
Binary: lintian
Architecture: all
Version: 2.5.11
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Uploaders: Josip Rodin <joy-packages@debian.org>, Colin Watson <cjwatson@debian.org>, Russ Allbery <rra@debian.org>, Adam D. Barratt <adam@adam-barratt.org.uk>, Raphael Geissert <geissert@debian.org>, Niels Thykier <niels@thykier.net>
Standards-Version: 3.9.4
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=lintian/lintian.git
Vcs-Git: git://anonscm.debian.org/lintian/lintian.git
Build-Depends: binutils, bzip2, cdbs, debhelper (>= 9), default-jdk, diffstat, docbook-utils, docbook-xml, dpkg-dev (>= 1.16.1~), fakeroot, file, gettext, hardening-includes (>= 2.0), intltool-debian, javahelper (>= 0.32~), libapt-pkg-perl, libarchive-zip-perl, libc-bin (>= 2.13) | locales, libclass-accessor-perl, libclone-perl, libdpkg-perl, libdigest-sha-perl, libemail-valid-perl, libhtml-parser-perl, libipc-run-perl, libparse-debianchangelog-perl, libtest-minimumversion-perl, libtest-pod-coverage-perl, libtest-pod-perl, libtest-strict-perl, libtest-synopsis-perl, libtext-levenshtein-perl, libtext-template-perl, libtimedate-perl, liburi-perl, man-db, patchutils, perl, perl (>= 5.12) | libtest-simple-perl (>= 0.93), python, python-all-dev, python-numpy, quilt, rsync, t1utils, unzip, xz-utils, xz-utils (>= 5.1.1alpha+20120614) | xz-lzma | lzma, zip
Package-List: 
 lintian deb devel optional
Checksums-Sha1: 
 c83143fc76461efbdfd687ea63964c650de9511e 1140318 lintian_2.5.11.tar.gz
Checksums-Sha256: 
 91f96295eac39c4711a1e53715f9c4324539665ef8aa4c1500af5ba5efd39cd5 1140318 lintian_2.5.11.tar.gz
Files: 
 90000a9fc6b5a7061f63154a946f9b79 1140318 lintian_2.5.11.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQx6VFAAoJEAVLu599gGRC4RoQAKfu7Aex+SQaKEGa7XAYWAdn
jySebBskYgZZP8udnU+xl3MgfErHkgTX6mAgDocJCbDeK5MQtTz/jYudrEAthYFm
JeZxR28VdP9RXFcuAo0jq3Qiv8x55rnHtUiX0ke/ObINckD24qwVMQdnKPRXo4b/
Uyo5zvd13zmJvl3OYqu747mH7MYNSU3m6Wt9CbOpz/V6tSWEZb2PblN+cFj9PIxY
iJRfGvb5c9Cb8/6vMxiuInP5+3asid8o/fdto3MLUOYJzrdCcw5bRj+wxdcDFnNQ
BZdBbGARg9mMG5K+zZjbuQRC2PmeTm4Qgc/4vTdBeBHyaOYCVMCc5xro/9my10IN
1cmMWUS7YGLBwJf03yhjO26GTVftdUpByxyRFOy3+YCy1WBHX45e9msUdrayWjRu
68rCIRtlBCzwQZ+GN2ZjzjgLwzWxq0nZHEb2TUS8/IId5ECOs3D7zsyrBqkr2WNm
bethycpo3hlsjw9iAMM9IQwQqKPVmoJV6b/1UPpMh2ErMo+sVMlErtUai8r0VcZA
i79gqF6TlIRlgoPmEHq1RIM3RItcp1Nhmg0cJ/NAMe6+euQfLmv5ilbF0lA80WQw
wZzL5VfZzX0SsYufvHiyanEJWRN8lttKSldxaMRNLPXlRZQrFwFN7azw7ThRk/JA
x2MBOVbBpM428SMVf7zu
=1UmQ
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message ---
Source: lintian
Source-Version: 2.5.10.4

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 16 Feb 2013 14:17:03 +0100
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.5.10.4
Distribution: unstable
Urgency: low
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description: 
 lintian    - Debian package checker
Closes: 695866 696230 698602
Changes: 
 lintian (2.5.10.4) unstable; urgency=low
 .
   * checks/init.d:
     + [NT] Fix regression where Lintian would not properly match
       init.d passed to update-rc.d.  Thanks to Michael Meskes for
       reporting.  (Closes: #698602)
 .
   * lib/Lintian/Collect/Package.pm:
     + [NT] Ensure the "root" entry of indices do not contain itself.
       (Closes: #695866)
   * lib/Lintian/Util.pm:
     + [NT] Reject partially signed Deb822 files.  Most Deb822 files
       are not signed at all; but those that are should be completely
       covered by a signature.  (Closes: #696230)
     + [ADB] Fix a typo in the matching of expected delimiters for some
       signed messages; thanks Samuel Bronson.
Checksums-Sha1: 
 a541a224400bbc0aefe02c58632fdcf45898cea9 2564 lintian_2.5.10.4.dsc
 bc05a90de231dce5cfbc0c2fba1c3042408c7bdf 1099969 lintian_2.5.10.4.tar.gz
 7e68a82e21defc9cf2740560770b664feef8809a 708946 lintian_2.5.10.4_all.deb
Checksums-Sha256: 
 b5c0c59c7056e60f6acc8c33a0cdbce118f4ccea724169ec4fae278ba9e7ae63 2564 lintian_2.5.10.4.dsc
 d6b174b89efd1035821fa25121aebe46eb079d5cce025f1a5c68c1cb4647bdb2 1099969 lintian_2.5.10.4.tar.gz
 bdb1375de2b0857f5088964fe22cb7b1d6fba9418a5b3fef9af0d10b722fbb81 708946 lintian_2.5.10.4_all.deb
Files: 
 390bb8279734aa3a366e0836a8f4a631 2564 devel optional lintian_2.5.10.4.dsc
 1b92d5e6f1c9c3791cb8eea2269dd28f 1099969 devel optional lintian_2.5.10.4.tar.gz
 83c471d79fb0a6659d5a27e521d44cbd 708946 devel optional lintian_2.5.10.4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRH4xQAAoJEAVLu599gGRCD4oP/2WWhDOOb3x0xCKLmwqBuyaE
fV9dgYNzJ8qdDD1X99TnjRD5TEVoXySNpHmc3g2PakRRt6Gs08rfwshkN8sRMGU9
mDgB/pT4FUgvdq7b882IdJv34AOEP/nxxpcV++SbLjXQKpbaJZnKVGaQNKN4Q0P4
4F4fLRwAlykmB8yPe2/gQZKOXRUk7SEpGrwnGg3wppwg3UUEeGinAg/GZDdkUBKg
+59XOTYi5du6cLwCf5Q00sgeBWvfzXFPZalC2PW9VTaj3Aajb2wd0yeMyZnuX73l
PJfxuQBlHNmm73RcAHsQ4VLSHzQQaqCfC0RnnGPxN2wPhVn5zNjI8gDL6/FeDsUP
xb4FFGqSSvwPMxkzoq0yYpSxPlied0dwl0halUiGtq/0M4n+MH3wwH+Xa4hAYZg9
e9QHllqYEOlZh29TTQ6HYAuBxJNVeKSs9zBS+Ikfq3CwGW13yy3vDFWsff/eIJ8T
8ZJdjaln+h+MhAxIuFokbdctbp4xDiIiDne1u6GQB5B8fyYDhugukxbbmpGFRIaE
EccuGCfFcV3ze3sHaPvfOz0bM4FIj98mM2AJKXKmX6Gq3/+/ijI8w5outuFUeKa/
Dr8BP5NjGmEtb9EkRWyX1CyWj1tsrFHMrhklwmqWoQ0aJ2WGYMU7t6nv88Mxt3Qa
HKQgqPGTipl6qOHsmaRt
=vVDe
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: