Bug#637384: pu: package lintian/2.4.3+squeeze1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

tag 637384 + confirmed
thanks

On Fri, 2011-08-12 at 10:09 +0200, Niels Thykier wrote:
> On 2011-08-11 19:51, Adam D. Barratt wrote:
> > On Wed, 2011-08-10 at 21:04 +0200, Niels Thykier wrote:
> >> I would like permission to backport the following security
> >> related patch to Lintian in stable.  The security team has
> >> already told me that they were not interested in a security
> >> upload.
> > 
> > I'm not surprised tbh, assuming that the issue indeed only allows file
> > existence testing, rather than content retrieval.
>
> As far as I can tell, there is no way to exploit the particular checks
> here to do content retrieval.

Cool.

> >> +    + [NT] Fixed information disclosure issue, where Lintian could
> >> +      be tricked into disclosing the present of files on the host
> > 
> > As per other people's IRC poking - and the patch header :-) -
> > s/present/presence/.
[...]
> Fixed this one :)

Ta.

> >> +So far as it is copyrightable at all, this test case is
> >> +   Copyright © 2009 Russ Allbery <rra@debian.org>
> >> +   Copyright © 2009 Adam D. Barratt <adam@adam-barratt.org.uk>
> > 
> > Hmmm, interesting...
> > 
> Copy/waste from another test... I can fix it if you insist, but most of
> the tests in 2.4.3..2.5.1 suffers from the same issue.

Nah, I just forgot there were any test cases that I'd actually bothered
doing that with.

Please feel free to upload.

Regards,

Adam