Your message dated Sun, 15 Jan 2017 12:09:00 +0000 with message-id <144f7197-55c1-9e13-d2c0-f5a96f93bdb1@thykier.net> and subject line Re: Bug#851453: age-days: check-all-the-things/2017.01.15 has caused the Debian Bug report #851453, regarding age-days: check-all-the-things/2017.01.15 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 851453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851453 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: age-days: check-all-the-things/2017.01.15
- From: Paul Wise <pabs@debian.org>
- Date: Sun, 15 Jan 2017 10:57:51 +0800
- Message-id: <[🔎] 1484449071.14188.85.camel@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: age-days Please reduce the migration time for check-all-the-things to two days. The version in unstable fixes arbitrary code execution security issues reported by Jakub Wilk because `python -m` adds '.' to sys.path. age-days 2 check-all-the-things/2017.01.15 -- System Information: Debian Release: stretch/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- bye, pabs https://wiki.debian.org/PaulWisediff -Nru check-all-the-things-2016.12.25/check-all-the-things check-all-the-things-2017.01.15/check-all-the-things --- check-all-the-things-2016.12.25/check-all-the-things 2016-12-25 07:43:10.000000000 +0800 +++ check-all-the-things-2017.01.15/check-all-the-things 2017-01-15 10:37:30.000000000 +0800 @@ -36,6 +36,7 @@ import time import signal import subprocess as ipc +import string import sys from textwrap import TextWrapper @@ -61,6 +62,7 @@ from curses import tigetstr, setupterm setupterm() erase_line = tigetstr('el') + reset_term = tigetstr('sgr0') try: from shutil import which @@ -139,7 +141,7 @@ return False -def spawn_ptyprocess(cmd, hide, header, footer, limit): +def spawn_ptyprocess(terminal, cmd, hide, header, footer, limit): lines = 0 trimmed = False @@ -158,6 +160,8 @@ lines += 1 if lines > limit: trimmed = True + if terminal: + sys.stdout.buffer.write(reset_term) print(*footer, sep='\n') sys.stdout.flush() proc.kill(signal.SIGTERM) @@ -170,10 +174,12 @@ break if header and not hide: output_header() + if terminal and not trimmed: + sys.stdout.buffer.write(reset_term) return not bool(header), trimmed -def spawn_pty(cmd, hide, header, footer, limit): +def spawn_pty(terminal, cmd, hide, header, footer, limit): lines = 0 trimmed = False pipe = None @@ -198,6 +204,8 @@ lines += 1 if lines > limit: trimmed = True + if terminal: + sys.stdout.buffer.write(reset_term) print(*footer, sep='\r\n', end='\r\n') sys.stdout.flush() raise OSError @@ -209,10 +217,12 @@ pipe.close() if header and not hide: output_header() + if terminal and not trimmed: + sys.stdout.buffer.write(reset_term) return not bool(header), trimmed -def spawn_pipe(cmd, hide, header, footer, limit): +def spawn_pipe(terminal, cmd, hide, header, footer, limit): lines = 0 trimmed = False @@ -231,6 +241,8 @@ lines += 1 if lines > limit: trimmed = True + if terminal: + sys.stdout.buffer.write(reset_term) print(*footer, sep='\n') sys.stdout.flush() proc.terminate() @@ -250,26 +262,30 @@ sys.stdout.flush() if header and not hide: output_header() + if terminal and not trimmed: + sys.stdout.buffer.write(reset_term) return not bool(header), trimmed -def spawn_none(cmd, header): +def spawn_none(terminal, cmd, header): show_header(header) ipc.call(cmd, shell=True, stderr=ipc.STDOUT) + if terminal: + sys.stdout.buffer.write(reset_term) return True, False -def spawn(method, cmd, hide, header, footer, limit): +def spawn(terminal, method, cmd, hide, header, footer, limit): if method == 'pipe': - return spawn_pipe(cmd, hide, header, footer, limit) + return spawn_pipe(terminal, cmd, hide, header, footer, limit) elif method == 'ptyprocess': show_progress(cmd) - return spawn_ptyprocess(cmd, hide, header, footer, limit) + return spawn_ptyprocess(terminal, cmd, hide, header, footer, limit) elif method == 'pty': show_progress(cmd) - return spawn_pty(cmd, hide, header, footer, limit) + return spawn_pty(terminal, cmd, hide, header, footer, limit) elif method == 'none': - return spawn_none(cmd, header) + return spawn_none(terminal, cmd, header) else: raise RuntimeError @@ -373,9 +389,12 @@ def set_command(self, value): self.cmd = cmd = value.strip() - d = collections.defaultdict(str) - cmd.format(**d) - nargs = 1 * ('file' in d) + 2 * ('files' in d) + fields = { + field + for text, field, fmt, conv + in string.Formatter().parse(cmd) + } + nargs = 1 * ('file' in fields) + 2 * ('files' in fields) if nargs >= 3: raise RuntimeError('invalid command specification: ' + cmd) self.cmd_nargs = nargs @@ -448,7 +467,7 @@ tfcmd += '''-print0 -o ''' tfcmd += '''-exec sh -c 'file --mime-type -r0 "$1" | cut -d "" -f 2 | grep -qP "^: ''' tfcmd += self._types_re - tfcmd += '''$" && printf "%s\\0" "$1"' sh {} \; | xargs -0''' + tfcmd += '''$" && printf "%s\\0" "$1"' sh {} \\; | xargs -0''' if self.cmd_nargs == 1: tfcmd += 'n1' fcmd += [tfcmd, self.cmd.format(**null_kwargs)] @@ -469,6 +488,8 @@ raise UnmetPrereq('command not found: ' + cmd) else: try: + # For Python 3.2 compatibility, open /dev/null manually instead + # of using subprocess.DEVNULL with open(os.devnull, 'wb') as dev_null: ipc.check_call( ['sh', '-e', '-c', self.prereq], @@ -568,7 +589,7 @@ prompt = '# $ ' if manual or todo else '$ ' header += prompt + cmd if run: - output, trimmed = spawn(method, cmd, hide, header, footer, limit) + output, trimmed = spawn(terminal, method, cmd, hide, header, footer, limit) if not output and hide: remark(remarks, name, 'no output') if trim and trimmed: @@ -804,7 +825,7 @@ except ValueError: print('ERROR: Could not parse deps for {}: {}'.format(name, check.apt), file=sys.stderr) sys.exit(1) - if not check.is_flag_set('todo'): + if not check.is_flag_set('todo') and not check.is_flag_set('apt-suggests'): recommends.append(check.apt) else: suggests.append(check.apt) @@ -1051,11 +1072,15 @@ except KeyboardInterrupt: if options.interrupt in {'exit', 'quit'} or (time.time() - last_interrupt) < options.interrupt_period: if output: + if terminal: + sys.stdout.buffer.write(reset_term) print() sys.exit() elif options.interrupt == 'skip': remark(remarks, name, 'user interrupted') if output: + if terminal: + sys.stdout.buffer.write(reset_term) print() last_interrupt = time.time() if output: diff -Nru check-all-the-things-2016.12.25/data/c check-all-the-things-2017.01.15/data/c --- check-all-the-things-2016.12.25/data/c 2016-12-25 07:49:02.000000000 +0800 +++ check-all-the-things-2017.01.15/data/c 2017-01-15 10:37:30.000000000 +0800 @@ -127,6 +127,17 @@ https://kitware.github.io/KWStyle/resources/documentation.html command = KWStyle -R -d . +[path-max] +files = + *.c *.cc *.cxx *.cpp + *.h *.hh *.hxx *.hpp +types = text/x-c text/x-c++ +command = grep -wE 'PATH_MAX|MAXPATHLEN' {files} +comment = + You should not assume that paths are at most PATH_MAX characters long. + Some operating systems (e.g. Hurd) don't define PATH_MAX at all. + Others (e.g. Linux, OS X) define it, but don't enforce the limit. + # TODO: pscan # TODO: adlint # TODO: sparse diff -Nru check-all-the-things-2016.12.25/data/compression check-all-the-things-2017.01.15/data/compression --- check-all-the-things-2016.12.25/data/compression 2016-12-25 07:49:25.000000000 +0800 +++ check-all-the-things-2017.01.15/data/compression 2017-01-15 10:37:30.000000000 +0800 @@ -111,13 +111,22 @@ comment = All the tests I did killed my computer apt = lrzip files = *.lrz +types = application/x-lrzip command = lrzip --test {files} not-dirs = .git .svn .bzr CVS .hg _darcs _FOSSIL_ .sgdrawer .pc [zstd-test] apt = zstd files = *.zst +types = application/x-zstd command = zstd --quiet --test {file} not-dirs = .git .svn .bzr CVS .hg _darcs _FOSSIL_ .sgdrawer .pc +[lz4-test] +apt = liblz4-tool +files = *.lz4 +types = application/x-lz4 +command = lz4 --quiet --test {file} +not-dirs = .git .svn .bzr CVS .hg _darcs _FOSSIL_ .sgdrawer .pc + # vim:ft=dosini diff -Nru check-all-the-things-2016.12.25/data/debian check-all-the-things-2017.01.15/data/debian --- check-all-the-things-2016.12.25/data/debian 2016-12-25 07:43:09.000000000 +0800 +++ check-all-the-things-2017.01.15/data/debian 2017-01-15 10:37:30.000000000 +0800 @@ -47,8 +47,8 @@ command = lintian --info --display-info --display-experimental --pedantic --show-overrides --color auto {files} [lintian4python] -flags = todo package python perl-bug-588017 -comment = re-enable if the package is ever revived, see #768988 and #778796 +flags = apt-suggests package python perl-bug-588017 +comment = remove apt-suggests if the package is ever revived, see Debian #768988 and #778796 apt = lintian4python files = ../*.changes ../*.deb ../*.dsc *.changes *.deb *.dsc types = application/vnd.debian.binary-package @@ -109,6 +109,7 @@ files = ./debian/control command = pts-actions +# TODO: decopy # TODO: dep11-tools # TODO: i18n # TODO: vcswatch diff -Nru check-all-the-things-2016.12.25/data/english check-all-the-things-2017.01.15/data/english --- check-all-the-things-2016.12.25/data/english 2016-12-25 07:43:06.000000000 +0800 +++ check-all-the-things-2017.01.15/data/english 2017-01-15 10:37:30.000000000 +0800 @@ -35,5 +35,6 @@ # TODO: https://www.languagetool.org/ #403619 # TODO: http://jwilk.net/software/anorack # TODO: https://github.com/decagon/pedant +# TODO: https://github.com/atpaino/deep-text-correcter # vim:ft=dosini diff -Nru check-all-the-things-2016.12.25/data/java check-all-the-things-2017.01.15/data/java --- check-all-the-things-2016.12.25/data/java 2016-12-25 07:43:10.000000000 +0800 +++ check-all-the-things-2017.01.15/data/java 2017-01-15 10:37:30.000000000 +0800 @@ -1,6 +1,6 @@ [jlint] -flags = todo fixme fixme-silent -comment = re-enable if it enters Debian again (#811366) +flags = apt-suggests fixme fixme-silent +comment = remove suggests tag if it enters Debian again (#811366) apt = jlint command = jlint.sh 2>&1 | fgrep -v 'Verification completed: 0 reported messages.' diff -Nru check-all-the-things-2016.12.25/data/lisp check-all-the-things-2017.01.15/data/lisp --- check-all-the-things-2016.12.25/data/lisp 2016-12-25 07:43:08.000000000 +0800 +++ check-all-the-things-2017.01.15/data/lisp 2017-01-15 10:37:30.000000000 +0800 @@ -2,4 +2,6 @@ flags = todo comment = https://github.com/g000001/lisp-critic +# TODO: https://github.com/fukamachi/sblint + # vim:ft=dosini diff -Nru check-all-the-things-2016.12.25/data/misc check-all-the-things-2017.01.15/data/misc --- check-all-the-things-2016.12.25/data/misc 2016-12-25 07:43:09.000000000 +0800 +++ check-all-the-things-2017.01.15/data/misc 2017-01-15 10:37:30.000000000 +0800 @@ -123,7 +123,7 @@ [timeless] comment = Prevents reproducible builds: https://reproducible-builds.org/ -command = grep -rE ' __DATE__|__TIME__|__TIMESTAMP__' . +command = grep -rE '__DATE__|__TIME__|__TIMESTAMP__' . [project-flint] flags = todo diff -Nru check-all-the-things-2016.12.25/data/mp3 check-all-the-things-2017.01.15/data/mp3 --- check-all-the-things-2016.12.25/data/mp3 2016-12-25 07:43:06.000000000 +0800 +++ check-all-the-things-2017.01.15/data/mp3 2017-01-15 10:37:30.000000000 +0800 @@ -6,8 +6,8 @@ command = mp3check --error-check --anomaly-check {files} [checkmp3] -flags = todo audio -comment = re-enable if it enters Debian again (#673319) +flags = apt-suggests audio +comment = remove suggests tag if it enters Debian again (#673319) apt = checkmp3 files = *.mp3 types = audio/mpeg diff -Nru check-all-the-things-2016.12.25/data/python check-all-the-things-2017.01.15/data/python --- check-all-the-things-2016.12.25/data/python 2016-12-25 07:43:06.000000000 +0800 +++ check-all-the-things-2017.01.15/data/python 2017-01-15 10:37:30.000000000 +0800 @@ -1,16 +1,14 @@ [pyflakes] -apt = pyflakes (>= 0.7.3) +apt = pyflakes files = *.py types = text/x-python -prereq = python2 -m pyflakes /dev/null -command = python2 -m pyflakes {files} +command = pyflakes {files} [pyflakes3] -apt = pyflakes3 | pyflakes (>= 0.7.3), pyflakes3 | pyflakes (<< 1.1.0-1) +apt = pyflakes3 | pyflakes (<< 1.1.0-1) files = *.py types = text/x-python -prereq = python3 -m pyflakes /dev/null -command = python3 -m pyflakes {files} +command = pyflakes3 {files} [pep8] flags = style @@ -37,18 +35,16 @@ command = grep -F 'yaml.load' {files} [pylint] -apt = pylint (>= 1.1.0) +apt = pylint files = *.py types = text/x-python -prereq = python2 -m pylint --rcfile=/dev/null /dev/null -command = python2 -m pylint --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files} +command = pylint --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files} [pylint3] -apt = pylint3 (>= 1.1.0) +apt = pylint3 files = *.py types = text/x-python -prereq = python3 -m pylint --rcfile=/dev/null /dev/null -command = python3 -m pylint --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files} +command = pylint3 --rcfile=/dev/null --msg-template='{{path}}:{{line}}:{{column}}: [{{category}}:{{symbol}}] {{obj}}: {{msg}}' --reports=n {files} # TODO: hacking # TODO: flake8 diff -Nru check-all-the-things-2016.12.25/debian/changelog check-all-the-things-2017.01.15/debian/changelog --- check-all-the-things-2016.12.25/debian/changelog 2016-12-25 08:02:09.000000000 +0800 +++ check-all-the-things-2017.01.15/debian/changelog 2017-01-15 10:37:30.000000000 +0800 @@ -1,3 +1,19 @@ +check-all-the-things (2017.01.15) unstable; urgency=high + + * New release. + - The "Check Things Securely Not Portably" release + - Reset terminal modes after commands to avoid colour spew + - Improve compatibility with Python 3.6 + - Update python checks to not work on other distros + because the `python -m` command is insecure + - Update checkers removed from Debian - allow to run if installed + - Update lrzip-test/zstd-test - add MIME types + - Add lz4-test - check lz4 compressed files + - Add path-max - check for non-portable path size macros + - TODO items for deep-text-correcter sblint decopy + + -- Paul Wise <pabs@debian.org> Sun, 15 Jan 2017 10:37:30 +0800 + check-all-the-things (2016.12.25) unstable; urgency=medium * New release. diff -Nru check-all-the-things-2016.12.25/doc/TODO check-all-the-things-2017.01.15/doc/TODO --- check-all-the-things-2016.12.25/doc/TODO 2016-12-25 07:43:10.000000000 +0800 +++ check-all-the-things-2017.01.15/doc/TODO 2017-01-15 10:37:30.000000000 +0800 @@ -26,6 +26,7 @@ http://www.flycheck.org/en/latest/languages.html https://atomlinter.github.io/ https://github.com/coala-analyzer/coala-bears/tree/master/bears +https://github.com/coala/bear-docs https://github.com/alecthomas/gometalinter A mechanisms for filtering output is needed. @@ -47,4 +48,9 @@ Add the ability to suggest command-lines for installing missing tools +Check if any tests contain dangerous commands: + +python -m +python -c + .. vim:ts=3 sw=3 et ft=rstAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: Paul Wise <pabs@debian.org>, 851453-done@bugs.debian.org
- Subject: Re: Bug#851453: age-days: check-all-the-things/2017.01.15
- From: Niels Thykier <niels@thykier.net>
- Date: Sun, 15 Jan 2017 12:09:00 +0000
- Message-id: <144f7197-55c1-9e13-d2c0-f5a96f93bdb1@thykier.net>
- In-reply-to: <[🔎] 1484449071.14188.85.camel@debian.org>
- References: <[🔎] 1484449071.14188.85.camel@debian.org>
Paul Wise: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: age-days > > Please reduce the migration time for check-all-the-things to two days. > > The version in unstable fixes arbitrary code execution security issues > reported by Jakub Wilk because `python -m` adds '.' to sys.path. > > age-days 2 check-all-the-things/2017.01.15 > > [...] Aged, thanks. ~Niels
--- End Message ---