Your message dated Thu, 25 Apr 2013 22:41:19 +0200 with message-id <517994EF.4010402@thykier.net> and subject line Re: Bug#697164: [new check] check for source packages with symlinks pointing outside has caused the Debian Bug report #697164, regarding [new check] check for source packages with symlinks pointing outside to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 697164: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697164 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: [new check] check for source packages with symlinks pointing outside
- From: Paul Wise <pabs@debian.org>
- Date: Wed, 02 Jan 2013 09:50:36 +0800
- Message-id: <1357091436.13638.34.camel@chianamo>
Package: lintian Version: 2.5.11 Severity: wishlist dpkg-source is not able (#645157) to properly handle source packages with relative/absolute symlinks that point outside of the package. It would be good if lintian could detect this situation and give an error. lintian should check both the orig.tar and the debian.tar. Since Debian source packages need to be self-contained, this should be an autoreject that cannot be overridden. If you need an example package, there is one at the URLs below. I discovered it during my work on the Debian derivatives census. http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc -- bye, pabs http://wiki.debian.org/PaulWiseAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 697164-done@bugs.debian.org, Paul Wise <pabs@debian.org>
- Subject: Re: Bug#697164: [new check] check for source packages with symlinks pointing outside
- From: Niels Thykier <niels@thykier.net>
- Date: Thu, 25 Apr 2013 22:41:19 +0200
- Message-id: <517994EF.4010402@thykier.net>
- In-reply-to: <20130104182928.GA4259@jwilk.net>
- References: <1357091436.13638.34.camel@chianamo> <20130104182928.GA4259@jwilk.net>
Version: 2.5.12 On 2013-01-04 19:29, Jakub Wilk wrote: > Hi Paul, > > Thanks for the bug report. > Hi, > * Paul Wise <pabs@debian.org>, 2013-01-02, 09:50: >> dpkg-source is not able (#645157) to properly handle source packages >> with relative/absolute symlinks that point outside of the package. It >> would be good if lintian could detect this situation and give an >> error. lintian should check both the orig.tar and the debian.tar. Lintian 2.5.12 has a tag for this now, source-contains-unsafe-symlink, in respond to #705553 (CVE-2013-1429). It has a few exceptions (namely broken symlinks in test suites are ignored). Lintian will check the resulting upacked package (i.e. the directory created by dpkg-source -x). We do not have the infrastructure to any checking prior to running (all relevant) collections. So if dpkg-source fails to extract such a source package, Lintian cannot check it. >> Since Debian source packages need to be self-contained, this should be >> an autoreject that cannot be overridden. If you need an example >> package, there is one at the URLs below. I discovered it during my >> work on the Debian derivatives census. >> While I agree these tags (this and the one for binary packages) should probably be an auto-reject, we do not make that call. You will have to convince the FTP-masters here - not sure whether it should be an unconditional override. >> http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc >> >> http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc > > Lintian already checks if debian/ directory itself is a symlink pointing > outside the source package: > > $ lintian exe_1.04.1.3602-boss1.dsc > internal error: cannot resolve debian directory symlink in exe: No such > file or directory at /usr/share/perl5/Lintian/Util.pm line 846. > warning: collect info debfiles about package exe failed > warning: skipping check of source package exe > Indeed, I remember seeing that package and I am fairly sure that checking was a result of that. > > As for banning all such symlinks, I'm not sure it's a good idea. I > happen to maintain a package which contains one (lintian4python), and I > think it's a valid use-case. Feel free to convince me otherwise, though. :) > I believe this was taken care of with Lintian/2.5.12 supporting --include-dir in lintian4python 0.17.2. ~Niels
--- End Message ---