Re: rdflib / CVE-2019-7653

To: Chris Lamb <lamby@debian.org>, debian-lts@lists.debian.org
Subject: Re: rdflib / CVE-2019-7653
From: Brian May <bam@debian.org>
Date: Fri, 08 Mar 2019 09:27:49 +1100
Message-id: <[🔎] 87y35q1fru.fsf@silverfish.pri>
In-reply-to: <[🔎] 0d6f5ae8-a2cd-4740-95cd-ddb0242aa3cd@www.fastmail.com>
References: <[🔎] 874l8e2xom.fsf@silverfish.pri> <[🔎] 0d6f5ae8-a2cd-4740-95cd-ddb0242aa3cd@www.fastmail.com>

Chris Lamb <lamby@debian.org> writes:

> Again, like ikiwiki, this appears to be backwards? :)

Apologies. Looks like I got the parameters to debdiff
reversed. Repeatedly :-(

See attached patch.
-- 
Brian May <bam@debian.org>

diff -Nru rdflib-4.1.2/debian/changelog rdflib-4.1.2/debian/changelog
--- rdflib-4.1.2/debian/changelog	2014-05-25 06:47:03.000000000 +1000
+++ rdflib-4.1.2/debian/changelog	2019-03-08 07:38:55.000000000 +1100
@@ -1,3 +1,10 @@
+rdflib (4.1.2-3+deb8u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2019-7653: Use easy_install provided scripts.
+
+ -- Brian May <bam@debian.org>  Fri, 08 Mar 2019 07:38:55 +1100
+
 rdflib (4.1.2-3) unstable; urgency=low
 
   * Upload to unstable almost identical to 4.1.2-2.
diff -Nru rdflib-4.1.2/debian/control rdflib-4.1.2/debian/control
--- rdflib-4.1.2/debian/control	2014-05-13 14:46:55.000000000 +1000
+++ rdflib-4.1.2/debian/control	2019-03-08 07:38:55.000000000 +1100
@@ -61,7 +61,7 @@
 
 Package: python-rdflib-tools
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-rdflib (>= 4.0.1-1)
+Depends: ${shlibs:Depends}, ${misc:Depends}, python3, python3-rdflib (>= 4.0.1-1), python3-pkg-resources
 Replaces: python-rdflib (<< 4.0.1-1)
 Breaks: python-rdflib (<< 4.0.1-1)
 Description: Python library containing an RDF triple store and RDF parsers/serializers
diff -Nru rdflib-4.1.2/debian/gbp.conf rdflib-4.1.2/debian/gbp.conf
--- rdflib-4.1.2/debian/gbp.conf	2014-05-13 14:46:55.000000000 +1000
+++ rdflib-4.1.2/debian/gbp.conf	2019-03-08 07:38:55.000000000 +1100
@@ -1,3 +1,3 @@
-[git-buildpackage]
-upstream-tag = %(version)s
-debian-branch = debian
+[buildpackage]
+upstream-tag = upstream/%(version)s
+debian-branch = jessie
diff -Nru rdflib-4.1.2/debian/python-rdflib-tools.install rdflib-4.1.2/debian/python-rdflib-tools.install
--- rdflib-4.1.2/debian/python-rdflib-tools.install	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/python-rdflib-tools.install	1970-01-01 10:00:00.000000000 +1000
@@ -1,5 +0,0 @@
-debian/scripts/rdfpipe /usr/bin/
-debian/scripts/csv2rdf /usr/bin/
-debian/scripts/rdf2dot /usr/bin/
-debian/scripts/rdfs2dot /usr/bin/
-debian/scripts/rdfgraphisomorphism /usr/bin/
diff -Nru rdflib-4.1.2/debian/rules rdflib-4.1.2/debian/rules
--- rdflib-4.1.2/debian/rules	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/rules	2019-03-08 07:36:24.000000000 +1100
@@ -11,14 +11,10 @@
 
 export PYBUILD_NAME=rdflib
 
-# For the time being, don't install the /usr/bin scripts for Python2 (hack)
-# Instead, we'll patch the scripts to add a shebang and put links into /usr/bin
-export PYBUILD_INSTALL_ARGS_python2=--install-scripts=/tmp
-export PYBUILD_AFTER_INSTALL_python2=rm -fr '{destdir}/tmp/'
-# For the time being, don't install the /usr/bin scripts for Python3 (hack)
-export PYBUILD_INSTALL_ARGS_python3=--install-scripts=/tmp
-export PYBUILD_AFTER_INSTALL_python3=rm -fr '{destdir}/tmp/'
-
+# Install (only) those into the -tools package
+export PYBUILD_AFTER_INSTALL_python3=mv '{destdir}/usr/bin' 'debian/python-rdflib-tools/usr/'
+# The Python 2 part is only available as a library, not as tools
+export PYBUILD_AFTER_INSTALL_python2=rm -rf '{destdir}/usr/bin'
 
 %:
 	dh $@ --with python2,python3,sphinxdoc --buildsystem=pybuild
diff -Nru rdflib-4.1.2/debian/scripts/csv2rdf rdflib-4.1.2/debian/scripts/csv2rdf
--- rdflib-4.1.2/debian/scripts/csv2rdf	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/csv2rdf	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.csv2rdf $*
diff -Nru rdflib-4.1.2/debian/scripts/rdf2dot rdflib-4.1.2/debian/scripts/rdf2dot
--- rdflib-4.1.2/debian/scripts/rdf2dot	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdf2dot	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.rdf2dot $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfgraphisomorphism rdflib-4.1.2/debian/scripts/rdfgraphisomorphism
--- rdflib-4.1.2/debian/scripts/rdfgraphisomorphism	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfgraphisomorphism	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.graphisomorphism $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfpipe rdflib-4.1.2/debian/scripts/rdfpipe
--- rdflib-4.1.2/debian/scripts/rdfpipe	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfpipe	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.rdfpipe $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfs2dot rdflib-4.1.2/debian/scripts/rdfs2dot
--- rdflib-4.1.2/debian/scripts/rdfs2dot	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfs2dot	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.rdfs2dot $*

Reply to:

Follow-Ups:
- Re: rdflib / CVE-2019-7653
  - From: Brian May <bam@debian.org>
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>

References:
- rdflib / CVE-2019-7653
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: rdflib / CVE-2019-7653
Next by Date: Re: ikiwiki / CVE-2019-9187
Previous by thread: Re: rdflib / CVE-2019-7653
Next by thread: Re: rdflib / CVE-2019-7653
Index(es):
- Date
- Thread