[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[lintian] 01/01: Also check for find(1) calls when checking for maintainer scripts that use a recursive chown. (Closes: #895370)

This is an automated email from the git hooks/post-receive script.

lamby pushed a commit to branch master
in repository lintian.

commit 52e1bfac52ddba315ba66778570eb00b10c473de
Author: Chris Lamb <lamby@debian.org>
Date:   Tue Apr 10 18:30:13 2018 +0100

    Also check for find(1) calls when checking for maintainer scripts that use a recursive chown. (Closes: #895370)
---
 checks/scripts.desc                                       | 3 ++-
 data/scripts/maintainer-script-bad-command                | 2 +-
 debian/changelog                                          | 5 +++++
 t/tests/scripts-maintainer-general/debian/debian/postinst | 1 +
 t/tests/scripts-maintainer-general/tags                   | 1 +
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/checks/scripts.desc b/checks/scripts.desc
index eba0c8e..da057dc 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -817,7 +817,8 @@ Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
 Severity: normal
 Certainty: certain
 Info: The maintainer script appears to call <tt>chmod</tt> or
- <tt>chown</tt> with an <tt>--recursive</tt> or <tt>-R</tt> argument.
+ <tt>chown</tt> with a <tt>--recursive</tt>/<tt>-R</tt> argument, or
+ uses <tt>find(1)</tt> in a similar manner.
  .
  This is vulnerable to hardlink attacks on mainline, non-Debian kernels
  that do not have <tt>fs.protected_hardlinks=1</tt>,
diff --git a/data/scripts/maintainer-script-bad-command b/data/scripts/maintainer-script-bad-command
index ef5a159..6c2b606 100644
--- a/data/scripts/maintainer-script-bad-command
+++ b/data/scripts/maintainer-script-bad-command
@@ -35,7 +35,7 @@ maintainer-script-should-not-use-dpkg-status-directly           ~~ 1 ~~^(base-fi
 maintainer-script-should-not-use-fc-cache                       ~~ 0 ~~^(fontconfig)$      ~~          ~~${LEADIN}(?:/usr/bin/)?fc-cache(?:\s|\Z)
 maintainer-script-should-not-use-gconftool                      ~~ 1 ~~^(gconf\d)$         ~~          ~~(?:/usr/bin/)?gconftool(?:-\d)?(?:\s|\Z)
 maintainer-script-should-not-use-install-sgmlcatalog            ~~ 1 ~~                    ~~          ~~\binstall-sgmlcatalog\b
-maintainer-script-should-not-use-recursive-chown-or-chmod       ~~ 1 ~~                    ~~          ~~\b(?:chmod|chown).*(?:-R|--recursive)\b
+maintainer-script-should-not-use-recursive-chown-or-chmod       ~~ 1 ~~                    ~~          ~~\b(?:(?:chmod|chown).*(?:-R|--recursive)|find.*exec.*chown)\b
 maintainer-script-should-not-use-service                        ~~ 1 ~~                    ~~          ~~${LEADIN}service\b
 maintainer-script-should-not-use-start-stop-daemon              ~~ 0 ~~                    ~~          ~~\bstart-stop-daemon(?=\s)(?!.*\s--stop\b)
 maintainer-script-should-not-use-update-alternatives-remove     ~~ 1 ~~                    ~~^postrm$  ~~\b update\-alternatives\s+\-\-remove\b
diff --git a/debian/changelog b/debian/changelog
index 593aa1c..a19ef8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,11 @@ lintian (2.5.82) UNRELEASED; urgency=medium
       some currently-problematic packages such as gcc-8-cross-ports
       preventing the update of https://lintian.debian.org/.  (See #890873)
 
+  * data/scripts/maintainer-script-bad-command:
+    + [CL] Also check for find(1) calls when checking for maintainer
+      scripts that use a recursive chown.  Thanks to Daniel Kahn Gillmore
+      for the report.  (Closes: #895370)
+
   * vendors/pureos/main/data/changes-file/derivative-versions:
     + [CL] Ensure that PureOS packages always end with (eg. pureosX).
   * vendors/pureos/main/data/fields/derivative-fields:
diff --git a/t/tests/scripts-maintainer-general/debian/debian/postinst b/t/tests/scripts-maintainer-general/debian/debian/postinst
index 706d7cf..02c4a6b 100755
--- a/t/tests/scripts-maintainer-general/debian/debian/postinst
+++ b/t/tests/scripts-maintainer-general/debian/debian/postinst
@@ -216,5 +216,6 @@ chmod -R 777 /bad
 chmod 777 -R /bad
 chmod 777 --recursive /bad
 chmod --recursive 777 /bad
+find /bad -maxdepth 2 -type d -exec chown root:root {} \; # (#895370)
 
 #DEBHELPER#
diff --git a/t/tests/scripts-maintainer-general/tags b/t/tests/scripts-maintainer-general/tags
index 2813747..6beaeae 100644
--- a/t/tests/scripts-maintainer-general/tags
+++ b/t/tests/scripts-maintainer-general/tags
@@ -49,6 +49,7 @@ W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-
 W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:216
 W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:217
 W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:218
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:219
 W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:84
 W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:138
 W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:78

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: