Debian Bug report logs - #487962
asciidoc 8.2.6 -a toc is --unsafe

version graph

Package: asciidoc; Maintainer for asciidoc is Fredrik Steen <stone@debian.org>; Source for asciidoc is src:asciidoc.

Reported by: Lucas Nussbaum <lucas@lucas-nussbaum.net>

Date: Thu, 19 Jun 2008 08:42:17 UTC

Severity: grave

Found in version asciidoc/8.2.6-1

Fixed in version asciidoc/8.2.7-2

Done: Alexander Wirt <formorer@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#487011; Package zaptel. Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: submit@bugs.debian.org
Subject: zaptel: FTBFS: ERROR: unsafe: include file: /etc/asciidoc/./javascripts/toc.js
Date: Thu, 19 Jun 2008 10:32:28 +0200
Package: zaptel
Version: 1:1.4.10.1~dfsg-1
Severity: serious
User: debian-qa@lists.debian.org
Usertags: qa-ftbfs-20080619 qa-ftbfs
Justification: FTBFS on i386

Hi,

During a rebuild of all packages in sid, your package failed to build on
i386.

Relevant part:
> ar cru libhexfile.a hexfile.o
> ranlib libhexfile.a
> cc -g -Wall  -D_GNU_SOURCE	   -c -o fpga_load.o fpga_load.c
> cc -L. -o fpga_load fpga_load.o  -lhexfile -lusb
> cc -g -Wall  -ansi -pedantic -std=c99 -c test_parse.c
> cc -L. -o test_parse test_parse.o  -lhexfile -lusb
> pod2man --section 8 zt_registration > zt_registration.8 || rm -f zt_registration.8
> pod2man --section 8 xpp_sync > xpp_sync.8 || rm -f xpp_sync.8
> pod2man --section 8 lszaptel > lszaptel.8 || rm -f lszaptel.8
> pod2man --section 8 xpp_blink > xpp_blink.8 || rm -f xpp_blink.8
> pod2man --section 8 zapconf > zapconf.8 || rm -f zapconf.8
> pod2man --section 8 zaptel_hardware > zaptel_hardware.8 || rm -f zaptel_hardware.8
> make[2]: Leaving directory `/build/user-zaptel_1.4.10.1~dfsg-1-amd64-DY3i4k/zaptel-1.4.10.1~dfsg-1/kernel/xpp/utils'
> perl -n -e \
> 		'if (/^#($|\s)(.*)/){ if (!$in_doc){print "\n"}; $in_doc=1; print "$2\n" } else { if ($in_doc){print "\n"}; $in_doc=0; print "  $_" }' \
> 		zaptel.conf.sample >zaptel.conf.asciidoc
> asciidoc -n -a toc -a toclevels=3 README
> ERROR: unsafe: include file: /etc/asciidoc/./javascripts/toc.js
> make[1]: *** [README.html] Error 1

The full build log is available from:
   http://people.debian.org/~lucas/logs/2008/06/19

This rebuild was done with gcc 4.3 instead of gcc 4.2, because gcc 4.3
is now the default on most architectures (even if it's not the case on
i386 yet).  Consequently, many failures are caused by the switch to gcc
4.3.
If you determine that this failure is caused by gcc 4.3, feel free to
downgrade this bug to 'important' if your package is only built on i386,
and this bug is specific to gcc 4.3 (i.e the package builds fine with
gcc 4.2).

A list of current common problems and possible solutions is available at 
http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!

About the archive rebuild: The rebuild was done on about 50 AMD64 nodes
of the Grid'5000 platform, using a clean chroot containing a sid i386
environment.  Internet was not accessible from the build systems.

-- 
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |




Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#487011; Package zaptel. Full text and rfc822 format available.

Acknowledgement sent to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 487011@bugs.debian.org (full text, mbox):

From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
To: Lucas Nussbaum <lucas@lucas-nussbaum.net>, 487011@bugs.debian.org
Subject: Re: Bug#487011: zaptel: FTBFS: ERROR: unsafe: include file: /etc/asciidoc/./javascripts/toc.js
Date: Thu, 19 Jun 2008 12:50:14 +0300
On Thu, Jun 19, 2008 at 10:32:28AM +0200, Lucas Nussbaum wrote:
> Package: zaptel
> Version: 1:1.4.10.1~dfsg-1
> Severity: serious
> User: debian-qa@lists.debian.org
> Usertags: qa-ftbfs-20080619 qa-ftbfs
> Justification: FTBFS on i386
> 
> Hi,
> 
> During a rebuild of all packages in sid, your package failed to build on
> i386.
> 
> Relevant part:
> > ar cru libhexfile.a hexfile.o
> > ranlib libhexfile.a
> > cc -g -Wall  -D_GNU_SOURCE	   -c -o fpga_load.o fpga_load.c
> > cc -L. -o fpga_load fpga_load.o  -lhexfile -lusb
> > cc -g -Wall  -ansi -pedantic -std=c99 -c test_parse.c
> > cc -L. -o test_parse test_parse.o  -lhexfile -lusb
> > pod2man --section 8 zt_registration > zt_registration.8 || rm -f zt_registration.8
> > pod2man --section 8 xpp_sync > xpp_sync.8 || rm -f xpp_sync.8
> > pod2man --section 8 lszaptel > lszaptel.8 || rm -f lszaptel.8
> > pod2man --section 8 xpp_blink > xpp_blink.8 || rm -f xpp_blink.8
> > pod2man --section 8 zapconf > zapconf.8 || rm -f zapconf.8
> > pod2man --section 8 zaptel_hardware > zaptel_hardware.8 || rm -f zaptel_hardware.8
> > make[2]: Leaving directory `/build/user-zaptel_1.4.10.1~dfsg-1-amd64-DY3i4k/zaptel-1.4.10.1~dfsg-1/kernel/xpp/utils'
> > perl -n -e \
> > 		'if (/^#($|\s)(.*)/){ if (!$in_doc){print "\n"}; $in_doc=1; print "$2\n" } else { if ($in_doc){print "\n"}; $in_doc=0; print "  $_" }' \
> > 		zaptel.conf.sample >zaptel.conf.asciidoc
> > asciidoc -n -a toc -a toclevels=3 README
> > ERROR: unsafe: include file: /etc/asciidoc/./javascripts/toc.js
> > make[1]: *** [README.html] Error 1

Seems to be new with asciidoc 8.2.6 (and does not happen with asciidoc
8.2.5).

> 
> The full build log is available from:
>    http://people.debian.org/~lucas/logs/2008/06/19
> 
> This rebuild was done with gcc 4.3 instead of gcc 4.2, because gcc 4.3
> is now the default on most architectures (even if it's not the case on
> i386 yet).  Consequently, many failures are caused by the switch to gcc
> 4.3.
> If you determine that this failure is caused by gcc 4.3, feel free to
> downgrade this bug to 'important' if your package is only built on i386,
> and this bug is specific to gcc 4.3 (i.e the package builds fine with
> gcc 4.2).
> 
> A list of current common problems and possible solutions is available at 
> http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!
> 
> About the archive rebuild: The rebuild was done on about 50 AMD64 nodes
> of the Grid'5000 platform, using a clean chroot containing a sid i386
> environment.  Internet was not accessible from the build systems.
> 
> -- 
> | Lucas Nussbaum
> | lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
> | jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |
> 
> 
> 
> _______________________________________________
> Pkg-voip-maintainers mailing list
> Pkg-voip-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen@xorcom.com
+972-50-7952406           mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com  iax:guest@local.xorcom.com/tzafrir




Bug 487011 cloned as bug 487962. Request was from Mark Purcell <msp@debian.org> to control@bugs.debian.org. (Wed, 25 Jun 2008 12:57:01 GMT) Full text and rfc822 format available.

Bug reassigned from package `zaptel' to `asciidoc'. Request was from Mark Purcell <msp@debian.org> to control@bugs.debian.org. (Wed, 25 Jun 2008 12:57:03 GMT) Full text and rfc822 format available.

Blocking bugs of 487011 added: 487962 Request was from Mark Purcell <msp@debian.org> to control@bugs.debian.org. (Wed, 25 Jun 2008 12:57:05 GMT) Full text and rfc822 format available.

Changed Bug title to `asciidoc 8.2.6 -a toc is --unsafe' from `zaptel: FTBFS: ERROR: unsafe: include file: /etc/asciidoc/./javascripts/toc.js'. Request was from Tzafrir Cohen <tzafrir.cohen@xorcom.com> to control@bugs.debian.org. (Wed, 25 Jun 2008 13:30:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Fredrik Steen <stone@debian.org>:
Bug#487962; Package asciidoc. Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Fredrik Steen <stone@debian.org>. Full text and rfc822 format available.

Message #23 received at 487962@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 487962@bugs.debian.org
Subject: Re: asciidoc 8.2.6 -a toc is --unsafe
Date: Sat, 28 Jun 2008 18:12:09 +0100
[Message part 1 (text/plain, inline)]
This bug is due to the file_in() function using os.path.realpath() rather
than normpath() to normalise the directory path it tests against.

normpath() resolves '.' and '..' path components without looking at the
filesystem.  realpath() also resolves symbolic links.

We shouldn't resolve symbolic links in the filename because they're
useful - and used in the case of /etc/asciidoc/javascripts.  Resolving
symbolic links before the check doesn't provide any safety against
symbolic link attacks, because the result is not cached.

The fix is trivial; NMU-diff follows.

Ben.

diff -u asciidoc-8.2.6/debian/changelog asciidoc-8.2.6/debian/changelog
--- asciidoc-8.2.6/debian/changelog
+++ asciidoc-8.2.6/debian/changelog
@@ -1,3 +1,10 @@
+asciidoc (8.2.6-1.1) unstable; urgency=low
+
+  * Non-maintainer upload
+  * Fixed normalisation of paths for include safety check (Closes: #487962)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 28 Jun 2008 17:00:52 +0100
+
 asciidoc (8.2.6-1) unstable; urgency=low
 
   * New upstream release (Closes: #478494)
only in patch2:
unchanged:
--- asciidoc-8.2.6.orig/debian/patches/normpath-not-realpath.patch
+++ asciidoc-8.2.6/debian/patches/normpath-not-realpath.patch
@@ -0,0 +1,11 @@
+--- a/asciidoc.py
++++ b/asciidoc.py
+@@ -125,7 +125,7 @@
+     else:
+         assert os.path.isdir(directory)
+         directory = os.path.abspath(directory)
+-    fname = os.path.realpath(fname)
++    fname = os.path.normpath(fname)
+     return os.path.commonprefix((directory, fname)) == directory
+ 
+ def safe():
--- END ---

-- 
Ben Hutchings
Life would be so much easier if we could look at the source code.
[signature.asc (application/pgp-signature, inline)]

Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #28 received at 487962-close@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 487962-close@bugs.debian.org
Subject: Bug#487962: fixed in asciidoc 8.2.6-1.1
Date: Sat, 28 Jun 2008 17:17:03 +0000
Source: asciidoc
Source-Version: 8.2.6-1.1

We believe that the bug you reported is fixed in the latest version of
asciidoc, which is due to be installed in the Debian FTP archive:

asciidoc_8.2.6-1.1.diff.gz
  to pool/main/a/asciidoc/asciidoc_8.2.6-1.1.diff.gz
asciidoc_8.2.6-1.1.dsc
  to pool/main/a/asciidoc/asciidoc_8.2.6-1.1.dsc
asciidoc_8.2.6-1.1_all.deb
  to pool/main/a/asciidoc/asciidoc_8.2.6-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated asciidoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 28 Jun 2008 17:00:52 +0100
Source: asciidoc
Binary: asciidoc
Architecture: source all
Version: 8.2.6-1.1
Distribution: unstable
Urgency: low
Maintainer: Fredrik Steen <stone@debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 asciidoc   - Highly configurable text format for writing documentation
Closes: 487962
Changes: 
 asciidoc (8.2.6-1.1) unstable; urgency=low
 .
   * Non-maintainer upload
   * Fixed normalisation of paths for include safety check (Closes: #487962)
Checksums-Sha1: 
 a80780977a6505781a3b986947ab6a33468c383b 1090 asciidoc_8.2.6-1.1.dsc
 9c6f5a4b7bd0520274de7c1fd0286ed07796e349 4980 asciidoc_8.2.6-1.1.diff.gz
 5b7e55d2fd48731c01def253c0f09d8cad38c478 729048 asciidoc_8.2.6-1.1_all.deb
Checksums-Sha256: 
 623813ff411019308672b1bc840abdb716979f1c42f8301590fbcad267a61a64 1090 asciidoc_8.2.6-1.1.dsc
 c5bcc08d1080f884b15d4fe42ef2c47fc2f46ca24f3fe1a3dfe6825b53d7cd17 4980 asciidoc_8.2.6-1.1.diff.gz
 3bea4815844b79909d2b8b16db7fef44bd123980cba6c24ed750987c387424dd 729048 asciidoc_8.2.6-1.1_all.deb
Files: 
 ca01f51fb8988e176d1d27df6f748b7c 1090 text optional asciidoc_8.2.6-1.1.dsc
 fb2d31b9725ac79babce1d7432d75bb6 4980 text optional asciidoc_8.2.6-1.1.diff.gz
 c38c4066efa45716fab4ea8eaf5910df 729048 text optional asciidoc_8.2.6-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIZm6K79ZNCRIGYgcRAnSRAKCO9aO47qZENHW3+CuXKyHBfLEb/wCg5NPu
iIgnfQpZgWiYVqnYdX1f7tg=
=s56M
-----END PGP SIGNATURE-----





Bug reopened, originator not changed. Request was from Stefan Pfetzing <dreamind@dreamind.de> to control@bugs.debian.org. (Tue, 29 Jul 2008 12:45:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Fredrik Steen <stone@debian.org>:
Bug#487962; Package asciidoc. Full text and rfc822 format available.

Acknowledgement sent to Stefan Pfetzing <dreamind@dreamind.de>:
Extra info received and forwarded to list. Copy sent to Fredrik Steen <stone@debian.org>. Full text and rfc822 format available.

Message #35 received at 487962@bugs.debian.org (full text, mbox):

From: Stefan Pfetzing <dreamind@dreamind.de>
To: 487962@bugs.debian.org
Subject: zaptel: FTBFS: ERROR: unsafe: include file: /etc/asciidoc/./javascripts/toc.js
Date: Tue, 29 Jul 2008 14:46:13 +0200
Hi,

this bug is still relevant to asciidoc 8.2.6-1 and 8.2.7-1.

bye

Stefan

-- 
        http://www.dreamind.de/
Oroborus and Debian GNU/Linux Developer.







Severity set to `grave' from `serious' Request was from Stefan Pfetzing <dreamind@dreamind.de> to control@bugs.debian.org. (Tue, 29 Jul 2008 12:48:09 GMT) Full text and rfc822 format available.

Reply sent to Alexander Wirt <formorer@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 487962-close@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: 487962-close@bugs.debian.org
Subject: Bug#487962: fixed in asciidoc 8.2.7-2
Date: Tue, 29 Jul 2008 17:47:03 +0000
Source: asciidoc
Source-Version: 8.2.7-2

We believe that the bug you reported is fixed in the latest version of
asciidoc, which is due to be installed in the Debian FTP archive:

asciidoc_8.2.7-2.diff.gz
  to pool/main/a/asciidoc/asciidoc_8.2.7-2.diff.gz
asciidoc_8.2.7-2.dsc
  to pool/main/a/asciidoc/asciidoc_8.2.7-2.dsc
asciidoc_8.2.7-2_all.deb
  to pool/main/a/asciidoc/asciidoc_8.2.7-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 487962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <formorer@debian.org> (supplier of updated asciidoc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 29 Jul 2008 19:26:44 +0200
Source: asciidoc
Binary: asciidoc
Architecture: source all
Version: 8.2.7-2
Distribution: unstable
Urgency: low
Maintainer: Fredrik Steen <stone@debian.org>
Changed-By: Alexander Wirt <formorer@debian.org>
Description: 
 asciidoc   - Highly configurable text format for writing documentation
Closes: 487962
Changes: 
 asciidoc (8.2.7-2) unstable; urgency=low
 .
   * Reintroduce normpatch-not-realpath.patch which fixes some FTBFS
     with packages that build there documentation with asciidoc
     (Closes: #487962). Thanks to Ben Hutchings for the patch.
Checksums-Sha1: 
 52a5b70d01f9b99034466be4d68468c968557dee 1090 asciidoc_8.2.7-2.dsc
 58bed57cc21dac143c346b14e2367cc6f497be32 4381 asciidoc_8.2.7-2.diff.gz
 2f8b68f85fb4081474f4535d835be1338f2f5e74 827604 asciidoc_8.2.7-2_all.deb
Checksums-Sha256: 
 60bc950f3ead4201ea93614596c0b3dae11194661b7e8db74fe50b4c04805de7 1090 asciidoc_8.2.7-2.dsc
 ca0c33e2af95acd5c203444b8f0ec6cd1ac4b5983540d726f2e1f66fb2a8cfac 4381 asciidoc_8.2.7-2.diff.gz
 36c6f1b0ca54496ab515983824a4f9108a2c1060b7ec9deea84a58fd208032b9 827604 asciidoc_8.2.7-2_all.deb
Files: 
 4c710db8db06ef348bca0b4b5d6ddba1 1090 text optional asciidoc_8.2.7-2.dsc
 0dc979aeea7aae93ef6fd509ab2ed73a 4381 text optional asciidoc_8.2.7-2.diff.gz
 e37db9aa3747cd9b5d2cf5c11d24133b 827604 text optional asciidoc_8.2.7-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiPU7gACgkQ01u8mbx9AgpuXQCg05lvybOpwxC4a8JQqpRSv3J9
/kgAoLRPJsqeBt1SRiBZ0m37klviyedj
=VPM5
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Sep 2008 07:36:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 09:11:30 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.