Bug#734402: lintian: [refining a test] take in account man macros existing in the build tree
On 2014-01-06 23:07, Georges Khaznadar wrote:
> Package: lintian
> Version: 2.5.20
> Severity: normal
> Tags: patch
>
> Dear Maintainer,
> I propose to refine a little the check for warnings in manpages
> Here are my replies to the ordinary questions:
>
Hi,
Thanks for reporting this issue.
> [...]
>
>
> --- lintian-2.5.20/checks/manpages.pm 2013-11-23 19:04:56.000000000 +0100
> +++ lintian-2.5.20+nmu1/checks/manpages.pm 2014-01-06 23:05:26.040016000 +0100
> @@ -268,6 +268,13 @@
> if ($dir) {
> chdir($dir);
> }
> + # find the path to man macros if necessary
> + my $macro_path=$path;
> + $macro_path =~ s{(.*/unpacked).*}{$1};
Looks like you want:
my $macro_path = $info->unpacked
> + $macro_path = `find $macro_path -type d -name tmac| tr '\\n' ':'`;
If so, we can probably settle this one by quoting the $macro_path
variable in the ``. Otherwise, this is a possible CVE (if $macro_path
is taken from the package, it is a "trivial" matter creating a file/dir
in the package which causes the above line to suffer from shell command
injection).
Maybe use -print0 if tr supports null -> ":", but that is nitpicking.
Alternatively there is File::Find.
Personally, I am not familiar with the "tmac" files; are they always
expected in a dir called "tmac"? And can they really be anywhere in the
package? Or can we narrow it down to say usr/share/ ?
> + if ($macro_path){
> + $ENV{GROFF_TMAC_PATH}=$macro_path;
> + }
> $ENV{MANROFFSEQ} = '';
> $ENV{MANWIDTH} = 80;
> exec { $cmd[0] } @cmd
>
~Niels
Reply to: