[lintian] 01/01: Also check for find(1) calls when checking for maintainer scripts that use a recursive chown. (Closes: #895370)
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository lintian.
commit 52e1bfac52ddba315ba66778570eb00b10c473de
Author: Chris Lamb <lamby@debian.org>
Date: Tue Apr 10 18:30:13 2018 +0100
Also check for find(1) calls when checking for maintainer scripts that use a recursive chown. (Closes: #895370)
---
checks/scripts.desc | 3 ++-
data/scripts/maintainer-script-bad-command | 2 +-
debian/changelog | 5 +++++
t/tests/scripts-maintainer-general/debian/debian/postinst | 1 +
t/tests/scripts-maintainer-general/tags | 1 +
5 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/checks/scripts.desc b/checks/scripts.desc
index eba0c8e..da057dc 100644
--- a/checks/scripts.desc
+++ b/checks/scripts.desc
@@ -817,7 +817,8 @@ Tag: maintainer-script-should-not-use-recursive-chown-or-chmod
Severity: normal
Certainty: certain
Info: The maintainer script appears to call <tt>chmod</tt> or
- <tt>chown</tt> with an <tt>--recursive</tt> or <tt>-R</tt> argument.
+ <tt>chown</tt> with a <tt>--recursive</tt>/<tt>-R</tt> argument, or
+ uses <tt>find(1)</tt> in a similar manner.
.
This is vulnerable to hardlink attacks on mainline, non-Debian kernels
that do not have <tt>fs.protected_hardlinks=1</tt>,
diff --git a/data/scripts/maintainer-script-bad-command b/data/scripts/maintainer-script-bad-command
index ef5a159..6c2b606 100644
--- a/data/scripts/maintainer-script-bad-command
+++ b/data/scripts/maintainer-script-bad-command
@@ -35,7 +35,7 @@ maintainer-script-should-not-use-dpkg-status-directly ~~ 1 ~~^(base-fi
maintainer-script-should-not-use-fc-cache ~~ 0 ~~^(fontconfig)$ ~~ ~~${LEADIN}(?:/usr/bin/)?fc-cache(?:\s|\Z)
maintainer-script-should-not-use-gconftool ~~ 1 ~~^(gconf\d)$ ~~ ~~(?:/usr/bin/)?gconftool(?:-\d)?(?:\s|\Z)
maintainer-script-should-not-use-install-sgmlcatalog ~~ 1 ~~ ~~ ~~\binstall-sgmlcatalog\b
-maintainer-script-should-not-use-recursive-chown-or-chmod ~~ 1 ~~ ~~ ~~\b(?:chmod|chown).*(?:-R|--recursive)\b
+maintainer-script-should-not-use-recursive-chown-or-chmod ~~ 1 ~~ ~~ ~~\b(?:(?:chmod|chown).*(?:-R|--recursive)|find.*exec.*chown)\b
maintainer-script-should-not-use-service ~~ 1 ~~ ~~ ~~${LEADIN}service\b
maintainer-script-should-not-use-start-stop-daemon ~~ 0 ~~ ~~ ~~\bstart-stop-daemon(?=\s)(?!.*\s--stop\b)
maintainer-script-should-not-use-update-alternatives-remove ~~ 1 ~~ ~~^postrm$ ~~\b update\-alternatives\s+\-\-remove\b
diff --git a/debian/changelog b/debian/changelog
index 593aa1c..a19ef8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,11 @@ lintian (2.5.82) UNRELEASED; urgency=medium
some currently-problematic packages such as gcc-8-cross-ports
preventing the update of https://lintian.debian.org/. (See #890873)
+ * data/scripts/maintainer-script-bad-command:
+ + [CL] Also check for find(1) calls when checking for maintainer
+ scripts that use a recursive chown. Thanks to Daniel Kahn Gillmore
+ for the report. (Closes: #895370)
+
* vendors/pureos/main/data/changes-file/derivative-versions:
+ [CL] Ensure that PureOS packages always end with (eg. pureosX).
* vendors/pureos/main/data/fields/derivative-fields:
diff --git a/t/tests/scripts-maintainer-general/debian/debian/postinst b/t/tests/scripts-maintainer-general/debian/debian/postinst
index 706d7cf..02c4a6b 100755
--- a/t/tests/scripts-maintainer-general/debian/debian/postinst
+++ b/t/tests/scripts-maintainer-general/debian/debian/postinst
@@ -216,5 +216,6 @@ chmod -R 777 /bad
chmod 777 -R /bad
chmod 777 --recursive /bad
chmod --recursive 777 /bad
+find /bad -maxdepth 2 -type d -exec chown root:root {} \; # (#895370)
#DEBHELPER#
diff --git a/t/tests/scripts-maintainer-general/tags b/t/tests/scripts-maintainer-general/tags
index 2813747..6beaeae 100644
--- a/t/tests/scripts-maintainer-general/tags
+++ b/t/tests/scripts-maintainer-general/tags
@@ -49,6 +49,7 @@ W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-
W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:216
W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:217
W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:218
+W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:219
W: scripts-maintainer-general: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:84
W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:138
W: scripts-maintainer-general: maintainer-script-should-not-use-start-stop-daemon postinst:78
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: