[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#697164: marked as done ([new check] check for source packages with symlinks pointing outside)



Your message dated Thu, 25 Apr 2013 22:41:19 +0200
with message-id <517994EF.4010402@thykier.net>
and subject line Re: Bug#697164: [new check] check for source packages with symlinks pointing outside
has caused the Debian Bug report #697164,
regarding [new check] check for source packages with symlinks pointing outside
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
697164: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697164
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: lintian
Version: 2.5.11
Severity: wishlist

dpkg-source is not able (#645157) to properly handle source packages
with relative/absolute symlinks that point outside of the package. It
would be good if lintian could detect this situation and give an error.
lintian should check both the orig.tar and the debian.tar. Since Debian
source packages need to be self-contained, this should be an autoreject
that cannot be overridden. If you need an example package, there is one
at the URLs below. I discovered it during my work on the Debian
derivatives census.

http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc
http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message ---
Version: 2.5.12

On 2013-01-04 19:29, Jakub Wilk wrote:
> Hi Paul,
> 
> Thanks for the bug report.
> 

Hi,

> * Paul Wise <pabs@debian.org>, 2013-01-02, 09:50:
>> dpkg-source is not able (#645157) to properly handle source packages
>> with relative/absolute symlinks that point outside of the package. It
>> would be good if lintian could detect this situation and give an
>> error. lintian should check both the orig.tar and the debian.tar.

Lintian 2.5.12 has a tag for this now, source-contains-unsafe-symlink,
in respond to #705553 (CVE-2013-1429).  It has a few exceptions (namely
broken symlinks in test suites are ignored).

Lintian will check the resulting upacked package (i.e. the directory
created by dpkg-source -x).  We do not have the infrastructure to any
checking prior to running (all relevant) collections.  So if dpkg-source
fails to extract such a source package, Lintian cannot check it.

>> Since Debian source packages need to be self-contained, this should be
>> an autoreject that cannot be overridden. If you need an example
>> package, there is one at the URLs below. I discovered it during my
>> work on the Debian derivatives census.
>>

While I agree these tags (this and the one for binary packages) should
probably be an auto-reject, we do not make that call.  You will have to
convince the FTP-masters here - not sure whether it should be an
unconditional override.

>> http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc
>>
>> http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc
> 
> Lintian already checks if debian/ directory itself is a symlink pointing
> outside the source package:
> 
> $ lintian exe_1.04.1.3602-boss1.dsc
> internal error: cannot resolve debian directory symlink in exe: No such
> file or directory at /usr/share/perl5/Lintian/Util.pm line 846.
> warning: collect info debfiles about package exe failed
> warning: skipping check of source package exe
> 

Indeed, I remember seeing that package and I am fairly sure that
checking was a result of that.

> 
> As for banning all such symlinks, I'm not sure it's a good idea. I
> happen to maintain a package which contains one (lintian4python), and I
> think it's a valid use-case. Feel free to convince me otherwise, though. :)
> 

I believe this was taken care of with Lintian/2.5.12 supporting
--include-dir in lintian4python 0.17.2.

~Niels

--- End Message ---

Reply to: