[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#637384: pu: package lintian/2.4.3+squeeze1



On 2011-09-04 17:43, Adam D. Barratt wrote:
> On Tue, 2011-08-16 at 21:07 +0100, Adam D. Barratt wrote:
>>  .gitignore                                            |    7 -----
>>  t/tests/shared-libs-la-files/debian/_python_module.la |   12 ---------
>>  t/tests/shared-libs-la-files/debian/kio_locate.la     |   15 -----------
>>  t/tests/shared-libs-la-files/debian/trailing-slash.la |   12 ---------
>>  testset/filenames/debian/.be/dummy                    |    1 
>>
>> The first isn't a huge problem, as it shouldn't really be in the source
>> package anyway; the others are a little more annoying.  I know that in
>> later versions of the package the issue with the .la files has been
>> worked around by shipping them using another extension and then renaming
>> them back, but for the purposes of stable could I trouble you to prepare
>> an updated package using debian/source/options to force the files to be
>> included and send a copy of the diff to the bug?
> 
> Ping?
> 
> fwiw, I've (finally) marked the original upload for rejection at the
> next dinstall until we get the above issues sorted.  You mentioned on
> IRC that there were some other issues which had arisen which you thought
> would be suitable for inclusion in a new upload.  If that's still the
> case, are those issues fixed in unstable already?
> 
> Regards,
> 
> Adam
> 
> 
> 
> 

Hey,

Sorry for the delay.  I have attached the complete debdiff from 2.4.3 to
now including the "extra issue" and the debian/source/options magic to
make dpkg-source keep those files (mentioned above).
  I have also added "incremental patches" from 2.4.3 to "now".  These
are available in the lintian-2.4.3.tar.gz (and was generated from git).

The "extra issue" has just been fixed in sid (in Lintian 2.5.3).  By
replacing "conffiles" in the control.tar.gz, lintian can be tricked into
reading files from the host systems and emitting tags like
"relative-conffile" for each line in the file that (in this case) does
not start with a "/".
  This is probably the easiest (and most effective) tag to abuse, but I
will not rule out one of the other tags in checks/etcfiles or
checks/conffiles could be exploited as well.

I asked the security team about this a while back.  Nico Golde told me
that it was a "pretty minor issue" and it could be fixed via
stable-proposed-updates.

On a related note, I have filed #641091 to request the ftp-masters to
auto-reject packages that contain "non-regular" files in the control.tar.gz.

I have not uploaded the package yet; I assumed you would want a second
review given the changes to fix the checks/{etcfiles,conffiles} issue.  :)

~Niels

Attachment: lintian-2.4.3.tar.gz
Description: application/gzip

diff -Nru lintian-2.4.3/checks/conffiles lintian-2.4.3+squeeze1/checks/conffiles
--- lintian-2.4.3/checks/conffiles	2010-07-26 06:50:52.000000000 +0200
+++ lintian-2.4.3+squeeze1/checks/conffiles	2011-09-10 14:23:40.000000000 +0200
@@ -31,7 +31,7 @@
 my $cf = "control/conffiles";
 
 # conffiles?
-unless (-f $cf) {
+unless (-f $cf && ! -l $cf) {
     return 0;
 }
 
diff -Nru lintian-2.4.3/checks/debian-source-dir lintian-2.4.3+squeeze1/checks/debian-source-dir
--- lintian-2.4.3/checks/debian-source-dir	2010-07-26 06:50:52.000000000 +0200
+++ lintian-2.4.3+squeeze1/checks/debian-source-dir	2011-09-10 14:21:55.000000000 +0200
@@ -36,7 +36,7 @@
 my $type = shift;
 my $info = shift;
 
-if (-e "debfiles/source/format") {
+if (-e "debfiles/source/format" && ! -l "debfiles/source/format") {
     open(FORMAT, "<", "debfiles/source/format") or
         fail("cannot read debian/source/format: $!");
     my $format = <FORMAT>;
@@ -46,7 +46,7 @@
     tag "missing-debian-source-format";
 }
 
-if (-d "debfiles/source") {
+if (! -l 'debfiles/source' && -d "debfiles/source") {
     opendir(DEBSRC, "debfiles/source") or fail("cannot opendir debian/source/: $!");
     my $file;
     while ($file = readdir(DEBSRC)) {
diff -Nru lintian-2.4.3/checks/etcfiles lintian-2.4.3+squeeze1/checks/etcfiles
--- lintian-2.4.3/checks/etcfiles	2010-07-26 06:50:52.000000000 +0200
+++ lintian-2.4.3+squeeze1/checks/etcfiles	2011-09-10 14:23:51.000000000 +0200
@@ -33,6 +33,8 @@
 
 my $conffiles = "control/conffiles";
 
+return if -l $conffiles;
+
 # load conffiles
 if (open(IN, '<', $conffiles)) {
     while (<IN>) {
diff -Nru lintian-2.4.3/debian/changelog lintian-2.4.3+squeeze1/debian/changelog
--- lintian-2.4.3/debian/changelog	2010-07-26 06:50:52.000000000 +0200
+++ lintian-2.4.3+squeeze1/debian/changelog	2011-09-10 14:42:28.000000000 +0200
@@ -1,3 +1,19 @@
+lintian (2.4.3+squeeze1) stable; urgency=low
+
+  * checks/{conffiles,etcfiles}:
+    + [NT] Skip all checks in conffiles is a symlink.
+  * checks/debian-source-dir:
+    + [NT] Fixed information disclosure issue, where Lintian could
+      be tricked into disclosing the presence of files on the host
+      system via specially crafted source packages.
+
+  * debian/source/options:
+    + [NT] Added tar-ignore option that only excludes .git to
+      prevent some files from being "lost" when rebuilding the
+      package.
+
+ -- Niels Thykier <niels@thykier.net>  Wed, 10 Aug 2011 20:53:04 +0200
+
 lintian (2.4.3) unstable; urgency=low
 
   The "Policy 3.9.1" release.
diff -Nru lintian-2.4.3/debian/source/options lintian-2.4.3+squeeze1/debian/source/options
--- lintian-2.4.3/debian/source/options	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/debian/source/options	2011-09-10 14:38:21.000000000 +0200
@@ -0,0 +1 @@
+tar-ignore=.git
diff -Nru lintian-2.4.3/t/debs/control-files-traversal/changelog lintian-2.4.3+squeeze1/t/debs/control-files-traversal/changelog
--- lintian-2.4.3/t/debs/control-files-traversal/changelog	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/debs/control-files-traversal/changelog	2011-09-10 14:27:47.000000000 +0200
@@ -0,0 +1,5 @@
+control-field-traversal-4 (1.0) unstable; urgency=low
+
+  * A Lintian test case.
+
+ -- Debian Lintian Maintainers <lintian-maint@debian.org>  Sat, 21 Feb 2009 13:34:21 -0800
diff -Nru lintian-2.4.3/t/debs/control-files-traversal/control lintian-2.4.3+squeeze1/t/debs/control-files-traversal/control
--- lintian-2.4.3/t/debs/control-files-traversal/control	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/debs/control-files-traversal/control	2011-09-10 14:29:25.000000000 +0200
@@ -0,0 +1,11 @@
+Package: control-files-traversal
+Version: 1.0
+Architecture: all
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Section: devel
+Priority: extra
+Description: Test for directory traversal issues via control files
+ This is a test package designed to exercise some feature or tag of
+ Lintian.  It is part of the Lintian test suite and may do very odd
+ things.  It should not be installed like a regular package.  It may
+ be an empty package.
diff -Nru lintian-2.4.3/t/debs/control-files-traversal/copyright lintian-2.4.3+squeeze1/t/debs/control-files-traversal/copyright
--- lintian-2.4.3/t/debs/control-files-traversal/copyright	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/debs/control-files-traversal/copyright	2011-09-10 14:27:47.000000000 +0200
@@ -0,0 +1,21 @@
+This is part of the testsuite of lintian. See the file debian/copyright
+in the lintian source directory for more details.
+
+So far as it is copyrightable at all, this test case is
+   Copyright © 2009 Russ Allbery <rra@debian.org>
+
+This program is free software; you may redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This is distributed in the hope that it will be useful, but without
+any warranty; without even the implied warranty of merchantability or
+fitness for a particular purpose. See the GNU General Public License
+for more details.
+
+A copy of the GNU General Public License version 2 is available as
+/usr/share/common-licenses/GPL-2 in the Debian GNU/Linux distribution
+or at http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+You can also obtain it by writing to the Free Software Foundation, Inc.,
+51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
diff -Nru lintian-2.4.3/t/debs/control-files-traversal/Makefile lintian-2.4.3+squeeze1/t/debs/control-files-traversal/Makefile
--- lintian-2.4.3/t/debs/control-files-traversal/Makefile	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/debs/control-files-traversal/Makefile	2011-09-10 14:30:35.000000000 +0200
@@ -0,0 +1,20 @@
+name = control-files-traversal
+
+all:
+	echo '2.0' > debian-binary
+	install -m 0755 -d usr/share/doc/$(name)
+	install -m 0644 changelog copyright usr/share/doc/$(name)
+	gzip --best usr/share/doc/$(name)/changelog
+	md5sum usr/share/doc/$(name)/* > md5sums
+	# Create the traversal symlink - points to md5sums in the lab
+	ln -s ../md5sums conffiles
+	tar cfz data.tar.gz usr
+	chown 0:0 control
+	chmod 644 control
+	tar cfz control.tar.gz control md5sums
+	ar rc $(name).deb \
+	    debian-binary control.tar.gz data.tar.gz
+
+clean:
+	rm -f *.tar.gz *.deb md5sums debian-binary
+	rm -rf root/
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/changelog lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/changelog
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/changelog	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/changelog	2011-09-10 14:21:56.000000000 +0200
@@ -0,0 +1,8 @@
+debian-source-dir-traversal-2 (1) unstable; urgency=low
+
+  * Lintian Test Suite.
+  * Test: debian-source-dir-traversal-2
+
+  * Suppress "should close ITP bug" messages.  (Closes: #123456)
+
+ -- Debian Lintian Maintainers <lintian-maint@debian.org>  Fri, 15 Jul 2011 15:30:00 +0200
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/control lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/control
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/control	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/control	2011-09-10 14:21:56.000000000 +0200
@@ -0,0 +1,14 @@
+Source: debian-source-dir-traversal-2
+Section: devel
+Priority: optional
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Build-Depends: debhelper (>= 7)
+Standards-Version: 3.9.1
+
+Package: debian-source-dir-traversal-2
+Architecture: all
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Test for directory traversal issues via field names or values
+ This is a test package designed to exercise some feature or tag of
+ Lintian.  It is part of the Lintian test suite and may do very odd
+ things.  It should not be installed like a regular package.
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/copyright lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/copyright
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/copyright	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/copyright	2011-09-10 14:21:56.000000000 +0200
@@ -0,0 +1,22 @@
+This is part of the testsuite of lintian. See the file debian/copyright
+in the lintian source directory for more details.
+
+So far as it is copyrightable at all, this test case is
+   Copyright © 2009 Russ Allbery <rra@debian.org>
+   Copyright © 2009 Adam D. Barratt <adam@adam-barratt.org.uk>
+
+This program is free software; you may redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+This is distributed in the hope that it will be useful, but without
+any warranty; without even the implied warranty of merchantability or
+fitness for a particular purpose. See the GNU General Public License
+for more details.
+
+A copy of the GNU General Public License version 2 is available as
+/usr/share/common-licenses/GPL-2 in the Debian GNU/Linux distribution
+or at http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
+You can also obtain it by writing to the Free Software Foundation, Inc.,
+51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/dsc.in lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/dsc.in
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/dsc.in	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/dsc.in	2011-09-10 14:21:56.000000000 +0200
@@ -0,0 +1,14 @@
+Format: 1.0
+Source: debian-source-dir-traversal-2
+Binary: debian-source-dir-traversal-2
+Architecture: all
+Version: 1
+Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
+Standards-Version: 3.9.1
+Build-Depends: debhelper (>= 7)
+Checksums-Sha1:
+ @SHA1@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
+Checksums-Sha256:
+ @SHA256@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
+Files:
+ @MD5@ @SIZE@ debian-source-dir-traversal-2_1.tar.gz
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/Makefile lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/Makefile
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/Makefile	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/Makefile	2011-09-03 11:21:04.000000000 +0200
@@ -0,0 +1,23 @@
+name = debian-source-dir-traversal-2
+dir  = $(name)-1
+
+all:
+	mkdir $(dir)
+	mkdir $(dir)/debian
+	cp changelog copyright control rules $(dir)/debian/
+	# Link to the lab entry - should trigger a myriad of
+	# "unknown-file-in-debian-source" tags, if lintian is vulnerable
+	ln -s ../ $(dir)/debian/source
+	tar cfz $(name)_1.tar.gz $(dir)
+	cp dsc.in $(name)_1.dsc
+	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
+	    'BEGIN { $$h = get_file_checksum("sha1", "$(name)_1.tar.gz") } s/\@SHA1\@/$$h/g' $(name)_1.dsc
+	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
+	    'BEGIN { $$h = get_file_checksum("sha256", "$(name)_1.tar.gz") } s/\@SHA256\@/$$h/g' $(name)_1.dsc
+	perl -I$(LINTIAN_ROOT)/lib -MUtil -i -pe \
+	    'BEGIN { $$h = get_file_checksum("md5", "$(name)_1.tar.gz") } s/\@MD5\@/$$h/g' $(name)_1.dsc
+	perl -i -pe 'BEGIN { $$s = (stat "$(name)_1.tar.gz")[7] } s/\@SIZE\@/$$s/g' $(name)_1.dsc
+
+clean:
+	rm -rf $(dir)
+	rm -f $(name)_1*
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/rules lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/rules
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/rules	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/rules	2011-09-10 14:21:56.000000000 +0200
@@ -0,0 +1,3 @@
+#!/usr/bin/make -f
+%:
+	dh $@
diff -Nru lintian-2.4.3/t/source/debian-source-dir-traversal-2/tags lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/tags
--- lintian-2.4.3/t/source/debian-source-dir-traversal-2/tags	1970-01-01 01:00:00.000000000 +0100
+++ lintian-2.4.3+squeeze1/t/source/debian-source-dir-traversal-2/tags	2011-09-06 22:00:50.000000000 +0200
@@ -0,0 +1,2 @@
+I: debian-source-dir-traversal-2 source: missing-debian-source-format
+W: debian-source-dir-traversal-2 source: package-uses-deprecated-debhelper-compat-version 1

Reply to: