Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: age-days Please reduce the migration time for check-all-the-things to two days. The version in unstable fixes arbitrary code execution security issues reported by Jakub Wilk because `python -m` adds '.' to sys.path. age-days 2 check-all-the-things/2017.01.15 -- System Information: Debian Release: stretch/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- bye, pabs https://wiki.debian.org/PaulWise
diff -Nru check-all-the-things-2016.12.25/check-all-the-things check-all-the-things-2017.01.15/check-all-the-things
--- check-all-the-things-2016.12.25/check-all-the-things 2016-12-25 07:43:10.000000000 +0800
+++ check-all-the-things-2017.01.15/check-all-the-things 2017-01-15 10:37:30.000000000 +0800
@@ -36,6 +36,7 @@
import time
import signal
import subprocess as ipc
+import string
import sys
from textwrap import TextWrapper
@@ -61,6 +62,7 @@
from curses import tigetstr, setupterm
setupterm()
erase_line = tigetstr('el')
+ reset_term = tigetstr('sgr0')
try:
from shutil import which
@@ -139,7 +141,7 @@
return False
-def spawn_ptyprocess(cmd, hide, header, footer, limit):
+def spawn_ptyprocess(terminal, cmd, hide, header, footer, limit):
lines = 0
trimmed = False
@@ -158,6 +160,8 @@
lines += 1
if lines > limit:
trimmed = True
+ if terminal:
+ sys.stdout.buffer.write(reset_term)
print(*footer, sep='\n')
sys.stdout.flush()
proc.kill(signal.SIGTERM)
@@ -170,10 +174,12 @@
break
if header and not hide:
output_header()
+ if terminal and not trimmed:
+ sys.stdout.buffer.write(reset_term)
return not bool(header), trimmed
-def spawn_pty(cmd, hide, header, footer, limit):
+def spawn_pty(terminal, cmd, hide, header, footer, limit):
lines = 0
trimmed = False
pipe = None
@@ -198,6 +204,8 @@
lines += 1
if lines > limit:
trimmed = True
+ if terminal:
+ sys.stdout.buffer.write(reset_term)
print(*footer, sep='\r\n', end='\r\n')
sys.stdout.flush()
raise OSError
@@ -209,10 +217,12 @@
pipe.close()
if header and not hide:
output_header()
+ if terminal and not trimmed:
+ sys.stdout.buffer.write(reset_term)
return not bool(header), trimmed
-def spawn_pipe(cmd, hide, header, footer, limit):
+def spawn_pipe(terminal, cmd, hide, header, footer, limit):
lines = 0
trimmed = False
@@ -231,6 +241,8 @@
lines += 1
if lines > limit:
trimmed = True
+ if terminal:
+ sys.stdout.buffer.write(reset_term)
print(*footer, sep='\n')
sys.stdout.flush()
proc.terminate()
@@ -250,26 +262,30 @@
sys.stdout.flush()
if header and not hide:
output_header()
+ if terminal and not trimmed:
+ sys.stdout.buffer.write(reset_term)
return not bool(header), trimmed
-def spawn_none(cmd, header):
+def spawn_none(terminal, cmd, header):
show_header(header)
ipc.call(cmd, shell=True, stderr=ipc.STDOUT)
+ if terminal:
+ sys.stdout.buffer.write(reset_term)
return True, False
-def spawn(method, cmd, hide, header, footer, limit):
+def spawn(terminal, method, cmd, hide, header, footer, limit):
if method == 'pipe':
- return spawn_pipe(cmd, hide, header, footer, limit)
+ return spawn_pipe(terminal, cmd, hide, header, footer, limit)
elif method == 'ptyprocess':
show_progress(cmd)
- return spawn_ptyprocess(cmd, hide, header, footer, limit)
+ return spawn_ptyprocess(terminal, cmd, hide, header, footer, limit)
elif method == 'pty':
show_progress(cmd)
- return spawn_pty(cmd, hide, header, footer, limit)
+ return spawn_pty(terminal, cmd, hide, header, footer, limit)
elif method == 'none':
- return spawn_none(cmd, header)
+ return spawn_none(terminal, cmd, header)
else:
raise RuntimeError
@@ -373,9 +389,12 @@
def set_command(self, value):
self.cmd = cmd = value.strip()
- d = collections.defaultdict(str)
- cmd.format(**d)
- nargs = 1 * ('file' in d) + 2 * ('files' in d)
+ fields = {
+ field
+ for text, field, fmt, conv
+ in string.Formatter().parse(cmd)
+ }
+ nargs = 1 * ('file' in fields) + 2 * ('files' in fields)
if nargs >= 3:
raise RuntimeError('invalid command specification: ' + cmd)
self.cmd_nargs = nargs
@@ -448,7 +467,7 @@
tfcmd += '''-print0 -o '''
tfcmd += '''-exec sh -c 'file --mime-type -r0 "$1" | cut -d "" -f 2 | grep -qP "^: '''
tfcmd += self._types_re
- tfcmd += '''$" && printf "%s\\0" "$1"' sh {} \; | xargs -0'''
+ tfcmd += '''$" && printf "%s\\0" "$1"' sh {} \\; | xargs -0'''
if self.cmd_nargs == 1:
tfcmd += 'n1'
fcmd += [tfcmd, self.cmd.format(**null_kwargs)]
@@ -469,6 +488,8 @@
raise UnmetPrereq('command not found: ' + cmd)
else:
try:
+ # For Python 3.2 compatibility, open /dev/null manually instead
+ # of using subprocess.DEVNULL
with open(os.devnull, 'wb') as dev_null:
ipc.check_call(
['sh', '-e', '-c', self.prereq],
@@ -568,7 +589,7 @@
prompt = '# $ ' if manual or todo else '$ '
header += prompt + cmd
if run:
- output, trimmed = spawn(method, cmd, hide, header, footer, limit)
+ output, trimmed = spawn(terminal, method, cmd, hide, header, footer, limit)
if not output and hide:
remark(remarks, name, 'no output')
if trim and trimmed:
@@ -804,7 +825,7 @@
except ValueError:
print('ERROR: Could not parse deps for {}: {}'.format(name, check.apt), file=sys.stderr)
sys.exit(1)
- if not check.is_flag_set('todo'):
+ if not check.is_flag_set('todo') and not check.is_flag_set('apt-suggests'):
recommends.append(check.apt)
else:
suggests.append(check.apt)
@@ -1051,11 +1072,15 @@
except KeyboardInterrupt:
if options.interrupt in {'exit', 'quit'} or (time.time() - last_interrupt) < options.interrupt_period:
if output:
+ if terminal:
+ sys.stdout.buffer.write(reset_term)
print()
sys.exit()
elif options.interrupt == 'skip':
remark(remarks, name, 'user interrupted')
if output:
+ if terminal:
+ sys.stdout.buffer.write(reset_term)
print()
last_interrupt = time.time()
if output:
diff -Nru check-all-the-things-2016.12.25/data/c check-all-the-things-2017.01.15/data/c
--- check-all-the-things-2016.12.25/data/c 2016-12-25 07:49:02.000000000 +0800
+++ check-all-the-things-2017.01.15/data/c 2017-01-15 10:37:30.000000000 +0800
@@ -127,6 +127,17 @@
https://kitware.github.io/KWStyle/resources/documentation.html
command = KWStyle -R -d .
+[path-max]
+files =
+ *.c *.cc *.cxx *.cpp
+ *.h *.hh *.hxx *.hpp
+types = text/x-c text/x-c++
+command = grep -wE 'PATH_MAX|MAXPATHLEN' {files}
+comment =
+ You should not assume that paths are at most PATH_MAX characters long.
+ Some operating systems (e.g. Hurd) don't define PATH_MAX at all.
+ Others (e.g. Linux, OS X) define it, but don't enforce the limit.
+
# TODO: pscan
# TODO: adlint
# TODO: sparse
diff -Nru check-all-the-things-2016.12.25/data/compression check-all-the-things-2017.01.15/data/compression
--- check-all-the-things-2016.12.25/data/compression 2016-12-25 07:49:25.000000000 +0800
+++ check-all-the-things-2017.01.15/data/compression 2017-01-15 10:37:30.000000000 +0800
@@ -111,13 +111,22 @@
comment = All the tests I did killed my computer
apt = lrzip
files = *.lrz
+types = application/x-lrzip
command = lrzip --test {files}
not-dirs = .git .svn .bzr CVS .hg _darcs _FOSSIL_ .sgdrawer .pc
[zstd-test]
apt = zstd
files = *.zst
+types = application/x-zstd
command = zstd --quiet --test {file}
not-dirs = .git .svn .bzr CVS .hg _darcs _FOSSIL_ .sgdrawer .pc
+[lz4-test]
+apt = liblz4-tool
+files = *.lz4
+types = application/x-lz4
+command = lz4 --quiet --test {file}
+not-dirs = .git .svn .bzr CVS .hg _darcs _FOSSIL_ .sgdrawer .pc
+
# vim:ft=dosini
diff -Nru check-all-the-things-2016.12.25/data/debian check-all-the-things-2017.01.15/data/debian
--- check-all-the-things-2016.12.25/data/debian 2016-12-25 07:43:09.000000000 +0800
+++ check-all-the-things-2017.01.15/data/debian 2017-01-15 10:37:30.000000000 +0800
@@ -47,8 +47,8 @@
command = lintian --info --display-info --display-experimental --pedantic --show-overrides --color auto {files}
[lintian4python]
-flags = todo package python perl-bug-588017
-comment = re-enable if the package is ever revived, see #768988 and #778796
+flags = apt-suggests package python perl-bug-588017
+comment = remove apt-suggests if the package is ever revived, see Debian #768988 and #778796
apt = lintian4python
files = ../*.changes ../*.deb ../*.dsc *.changes *.deb *.dsc
types = application/vnd.debian.binary-package
@@ -109,6 +109,7 @@
files = ./debian/control
command = pts-actions
+# TODO: decopy
# TODO: dep11-tools
# TODO: i18n
# TODO: vcswatch
diff -Nru check-all-the-things-2016.12.25/data/english check-all-the-things-2017.01.15/data/english
--- check-all-the-things-2016.12.25/data/english 2016-12-25 07:43:06.000000000 +0800
+++ check-all-the-things-2017.01.15/data/english 2017-01-15 10:37:30.000000000 +0800
@@ -35,5 +35,6 @@
# TODO: https://www.languagetool.org/ #403619
# TODO: http://jwilk.net/software/anorack
# TODO: https://github.com/decagon/pedant
+# TODO: https://github.com/atpaino/deep-text-correcter
# vim:ft=dosini
diff -Nru check-all-the-things-2016.12.25/data/java check-all-the-things-2017.01.15/data/java
--- check-all-the-things-2016.12.25/data/java 2016-12-25 07:43:10.000000000 +0800
+++ check-all-the-things-2017.01.15/data/java 2017-01-15 10:37:30.000000000 +0800
@@ -1,6 +1,6 @@
[jlint]
-flags = todo fixme fixme-silent
-comment = re-enable if it enters Debian again (#811366)
+flags = apt-suggests fixme fixme-silent
+comment = remove suggests tag if it enters Debian again (#811366)
apt = jlint
command = jlint.sh 2>&1 | fgrep -v 'Verification completed: 0 reported messages.'
diff -Nru check-all-the-things-2016.12.25/data/lisp check-all-the-things-2017.01.15/data/lisp
--- check-all-the-things-2016.12.25/data/lisp 2016-12-25 07:43:08.000000000 +0800
+++ check-all-the-things-2017.01.15/data/lisp 2017-01-15 10:37:30.000000000 +0800
@@ -2,4 +2,6 @@
flags = todo
comment = https://github.com/g000001/lisp-critic
+# TODO: https://github.com/fukamachi/sblint
+
# vim:ft=dosini
diff -Nru check-all-the-things-2016.12.25/data/misc check-all-the-things-2017.01.15/data/misc
--- check-all-the-things-2016.12.25/data/misc 2016-12-25 07:43:09.000000000 +0800
+++ check-all-the-things-2017.01.15/data/misc 2017-01-15 10:37:30.000000000 +0800
@@ -123,7 +123,7 @@
[timeless]
comment = Prevents reproducible builds: https://reproducible-builds.org/
-command = grep -rE ' __DATE__|__TIME__|__TIMESTAMP__' .
+command = grep -rE '__DATE__|__TIME__|__TIMESTAMP__' .
[project-flint]
flags = todo
diff -Nru check-all-the-things-2016.12.25/data/mp3 check-all-the-things-2017.01.15/data/mp3
--- check-all-the-things-2016.12.25/data/mp3 2016-12-25 07:43:06.000000000 +0800
+++ check-all-the-things-2017.01.15/data/mp3 2017-01-15 10:37:30.000000000 +0800
@@ -6,8 +6,8 @@
command = mp3check --error-check --anomaly-check {files}
[checkmp3]
-flags = todo audio
-comment = re-enable if it enters Debian again (#673319)
+flags = apt-suggests audio
+comment = remove suggests tag if it enters Debian again (#673319)
apt = checkmp3
files = *.mp3
types = audio/mpeg
diff -Nru check-all-the-things-2016.12.25/data/python check-all-the-things-2017.01.15/data/python
--- check-all-the-things-2016.12.25/data/python 2016-12-25 07:43:06.000000000 +0800
+++ check-all-the-things-2017.01.15/data/python 2017-01-15 10:37:30.000000000 +0800
@@ -1,16 +1,14 @@
[pyflakes]
-apt = pyflakes (>= 0.7.3)
+apt = pyflakes
files = *.py
types = text/x-python
-prereq = python2 -m pyflakes /dev/null
-command = python2 -m pyflakes {files}
+command = pyflakes {files}
[pyflakes3]
-apt = pyflakes3 | pyflakes (>= 0.7.3), pyflakes3 | pyflakes (<< 1.1.0-1)
+apt = pyflakes3 | pyflakes (<< 1.1.0-1)
files = *.py
types = text/x-python
-prereq = python3 -m pyflakes /dev/null
-command = python3 -m pyflakes {files}
+command = pyflakes3 {files}
[pep8]
flags = style
@@ -37,18 +35,16 @@
command = grep -F 'yaml.load' {files}
[pylint]
-apt = pylint (>= 1.1.0)
+apt = pylint
files = *.py
types = text/x-python
-prereq = python2 -m pylint --rcfile=/dev/null /dev/null
-command = python2 -m pylint --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files}
+command = pylint --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files}
[pylint3]
-apt = pylint3 (>= 1.1.0)
+apt = pylint3
files = *.py
types = text/x-python
-prereq = python3 -m pylint --rcfile=/dev/null /dev/null
-command = python3 -m pylint --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files}
+command = pylint3 --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files}
# TODO: hacking
# TODO: flake8
diff -Nru check-all-the-things-2016.12.25/debian/changelog check-all-the-things-2017.01.15/debian/changelog
--- check-all-the-things-2016.12.25/debian/changelog 2016-12-25 08:02:09.000000000 +0800
+++ check-all-the-things-2017.01.15/debian/changelog 2017-01-15 10:37:30.000000000 +0800
@@ -1,3 +1,19 @@
+check-all-the-things (2017.01.15) unstable; urgency=high
+
+ * New release.
+ - The "Check Things Securely Not Portably" release
+ - Reset terminal modes after commands to avoid colour spew
+ - Improve compatibility with Python 3.6
+ - Update python checks to not work on other distros
+ because the `python -m` command is insecure
+ - Update checkers removed from Debian - allow to run if installed
+ - Update lrzip-test/zstd-test - add MIME types
+ - Add lz4-test - check lz4 compressed files
+ - Add path-max - check for non-portable path size macros
+ - TODO items for deep-text-correcter sblint decopy
+
+ -- Paul Wise <pabs@debian.org> Sun, 15 Jan 2017 10:37:30 +0800
+
check-all-the-things (2016.12.25) unstable; urgency=medium
* New release.
diff -Nru check-all-the-things-2016.12.25/doc/TODO check-all-the-things-2017.01.15/doc/TODO
--- check-all-the-things-2016.12.25/doc/TODO 2016-12-25 07:43:10.000000000 +0800
+++ check-all-the-things-2017.01.15/doc/TODO 2017-01-15 10:37:30.000000000 +0800
@@ -26,6 +26,7 @@
http://www.flycheck.org/en/latest/languages.html
https://atomlinter.github.io/
https://github.com/coala-analyzer/coala-bears/tree/master/bears
+https://github.com/coala/bear-docs
https://github.com/alecthomas/gometalinter
A mechanisms for filtering output is needed.
@@ -47,4 +48,9 @@
Add the ability to suggest command-lines for installing missing tools
+Check if any tests contain dangerous commands:
+
+python -m
+python -c
+
.. vim:ts=3 sw=3 et ft=rst
Attachment:
signature.asc
Description: This is a digitally signed message part