Bug#637384: pu: package lintian/2.4.3+squeeze1
On 2011-08-11 19:51, Adam D. Barratt wrote:
> tag 637384 + squeeze
> thanks
>
> On Wed, 2011-08-10 at 21:04 +0200, Niels Thykier wrote:
>> I would like permission to backport the following security
>> related patch to Lintian in stable. The security team has
>> already told me that they were not interested in a security
>> upload.
>
> I'm not surprised tbh, assuming that the issue indeed only allows file
> existence testing, rather than content retrieval.
>
As far as I can tell, there is no way to exploit the particular checks
here to do content retrieval.
Slightly off-topic: I believe one of the checks in sid/testing could be
used to tell if a file contained a "non-comment" line, but I guess that
is exciting as it gets this time. :)
>> +lintian (2.4.3+squeeze1) stable; urgency=low
>> +
>> + * checks/debian-source-dir:
>> + + [NT] Fixed information disclosure issue, where Lintian could
>> + be tricked into disclosing the present of files on the host
>
> As per other people's IRC poking - and the patch header :-) -
> s/present/presence/.
>
>> + system via specially crafted source packages.
> [...]
Fixed this one :)
>> +So far as it is copyrightable at all, this test case is
>> + Copyright © 2009 Russ Allbery <rra@debian.org>
>> + Copyright © 2009 Adam D. Barratt <adam@adam-barratt.org.uk>
>
> Hmmm, interesting...
>
Copy/waste from another test... I can fix it if you insist, but most of
the tests in 2.4.3..2.5.1 suffers from the same issue.
There is a reason that I added skeletons for most of the test suites
in 2.5.2. :P
> Regards,
>
> Adam
>
~Niels
Reply to: