Debian Bug report logs - #533618
[collection/strings] fails on setuid/setgid/sticky files when run as root

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <lintian-maint@debian.org>; Source for lintian is src:lintian.

Reported by: Peter Pentchev <roam@ringlet.net>

Date: Fri, 19 Jun 2009 10:57:05 UTC

Severity: normal

Tags: patch

Found in version lintian/2.2.10

Fixed in version lintian/2.2.13

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, roam@ringlet.net, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#533618; Package lintian. (Fri, 19 Jun 2009 10:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Pentchev <roam@ringlet.net>:
New Bug report received and forwarded. Copy sent to roam@ringlet.net, Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 19 Jun 2009 10:57:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Peter Pentchev <roam@ringlet.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [collection/strings] fails on setuid/setgid/sticky files when run as root
Date: Fri, 19 Jun 2009 13:50:16 +0300
[Message part 1 (text/plain, inline)]
Package: lintian
Version: 2.2.10
Severity: normal
Tags: patch

Hi,

Thanks a lot for working on lintian!

In version 2.2.10, the list of files examined by collection/strings was
limited to those containing ":<whitespace>ELF" to avoid false positives.
However, this kind of fails on packages containing setuid, setgid, or
sticky binaries *only when the lintian test is run as root*.

Of course, I realize that running lintian as root is discouraged, but
that's what pbuilder does by default, and IMHO there's no harm in
supporting it with a simple change such as the following patch :)
I'm reporting the bug against lintian-2.2.10 in squeeze, but it is also
present (and the patch is against) unstable's 2.2.12.  I hope that
this bug won't prevent the migration of 2.2.12 to squeeze, which would
be desirable because of the support for Policy 3.8.2 :>

Keep up the good work!

G'luck,
Peter

*** strings-on-setid-files.patch
Fix strings run as root on setuid, setgid, or sticky executables.

diff -urN lintian-2.2.12/collection/strings lintian-2.2.12-roam/collection/strings
--- lintian-2.2.12/collection/strings	2009-06-19 03:22:54.000000000 +0300
+++ lintian-2.2.12-roam/collection/strings	2009-06-19 13:01:40.000000000 +0300
@@ -27,7 +27,7 @@
 [ ! -f elf-index ] || rm -f elf-index
 exec >elf-index
 
-for bin in $(sed -rn 's/:\s+\bELF\b.+$//g;T;p' file-info); do
+for bin in $(sed -rn 's/:\s+((set[ug]id|sticky)\s+)*\bELF\b.+$//g;T;p' file-info); do
     echo "$bin"
     case $bin in
       /usr/lib/debug/*)


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages lintian depends on:
ii  binutils               2.19.1-1          The GNU assembler, linker and bina
ii  diffstat               1.47-1            produces graph of changes introduc
ii  dpkg-dev               1.15.2            Debian package development tools
ii  file                   5.03-1            Determines file type using "magic"
ii  gettext                0.17-6            GNU Internationalization utilities
ii  intltool-debian        0.35.0+20060710.1 Help i18n of RFC822 compliant conf
ii  libipc-run-perl        0.82-1            Perl module for running processes
ii  libparse-debianchangel 1.1.1-2           parse Debian changelogs and output
ii  libtimedate-perl       1.1600-9          Time and date functions for Perl
ii  liburi-perl            1.37+dfsg-1       Manipulates and accesses URI strin
ii  man-db                 2.5.5-2           on-line manual pager
ii  perl [libdigest-sha-pe 5.10.0-23         Larry Wall's Practical Extraction 

lintian recommends no packages.

Versions of packages lintian suggests:
ii  binutils-multiarch            2.19.1-1   Binary utilities that support mult
ii  libtext-template-perl         1.45-1     Text::Template perl module
ii  man-db                        2.5.5-2    on-line manual pager

-- no debconf information
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#533618; Package lintian. (Fri, 19 Jun 2009 18:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 19 Jun 2009 18:21:03 GMT) Full text and rfc822 format available.

Message #10 received at 533618@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Peter Pentchev <roam@ringlet.net>, 533618@bugs.debian.org
Subject: Re: Bug#533618: [collection/strings] fails on setuid/setgid/sticky files when run as root
Date: Fri, 19 Jun 2009 19:18:18 +0100
On Fri, 2009-06-19 at 13:50 +0300, Peter Pentchev wrote:
> In version 2.2.10, the list of files examined by collection/strings was
> limited to those containing ":<whitespace>ELF" to avoid false positives.
> However, this kind of fails on packages containing setuid, setgid, or
> sticky binaries *only when the lintian test is run as root*.

Indeed.  The issue, specifically, is that, when unpacked as a non-root
user, the extracted file *isn't* setuid as the unpacking user is unable
to create a file with the relevant permission bit set.

Thanks for the patch; for consistency with the expressions used
elsewhere in Lintian, I've applied a simpler version: "s/:\s+[^,]*\bELF
\b.+$//g".

Regards,

Adam




Tags added: pending Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 19 Jun 2009 18:21:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#533618; Package lintian. (Fri, 19 Jun 2009 22:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Pentchev <roam@ringlet.net>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Fri, 19 Jun 2009 22:12:02 GMT) Full text and rfc822 format available.

Message #17 received at 533618@bugs.debian.org (full text, mbox):

From: Peter Pentchev <roam@ringlet.net>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 533618@bugs.debian.org
Subject: Re: Bug#533618: [collection/strings] fails on setuid/setgid/sticky files when run as root
Date: Sat, 20 Jun 2009 01:10:23 +0300
[Message part 1 (text/plain, inline)]
On Fri, Jun 19, 2009 at 07:18:18PM +0100, Adam D. Barratt wrote:
> On Fri, 2009-06-19 at 13:50 +0300, Peter Pentchev wrote:
> > In version 2.2.10, the list of files examined by collection/strings was
> > limited to those containing ":<whitespace>ELF" to avoid false positives.
> > However, this kind of fails on packages containing setuid, setgid, or
> > sticky binaries *only when the lintian test is run as root*.
> 
> Indeed.  The issue, specifically, is that, when unpacked as a non-root
> user, the extracted file *isn't* setuid as the unpacking user is unable
> to create a file with the relevant permission bit set.

Exactly.  I guess I forgot to mention that in my original mail :)

> Thanks for the patch; for consistency with the expressions used
> elsewhere in Lintian, I've applied a simpler version: "s/:\s+[^,]*\bELF
> \b.+$//g".

Aye, that would work, too.  Thanks for the quick response! :)

G'luck,
Peter

-- 
Peter Pentchev	roam@ringlet.net    roam@space.bg    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If there were no counterfactuals, this sentence would not have been paradoxical.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Thu, 09 Jul 2009 16:24:08 GMT) Full text and rfc822 format available.

Notification sent to Peter Pentchev <roam@ringlet.net>:
Bug acknowledged by developer. (Thu, 09 Jul 2009 16:24:08 GMT) Full text and rfc822 format available.

Message #22 received at 533618-close@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: 533618-close@bugs.debian.org
Subject: Bug#533618: fixed in lintian 2.2.13
Date: Thu, 09 Jul 2009 16:17:34 +0000
Source: lintian
Source-Version: 2.2.13

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive:

lintian_2.2.13.dsc
  to pool/main/l/lintian/lintian_2.2.13.dsc
lintian_2.2.13.tar.gz
  to pool/main/l/lintian/lintian_2.2.13.tar.gz
lintian_2.2.13_all.deb
  to pool/main/l/lintian/lintian_2.2.13_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 533618@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Jul 2009 09:11:14 -0700
Source: lintian
Binary: lintian
Architecture: source all
Version: 2.2.13
Distribution: unstable
Urgency: low
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 lintian    - Debian package checker
Closes: 516530 533618 534134 534139 534141 534212 534218 534234 534276 534326 534580 534640 534684 534942 535308 535432 535566 535582
Changes: 
 lintian (2.2.13) unstable; urgency=low
 .
   The "triggerized install-info" release.
 .
   * Summary of tag changes:
     + Added:
       - install-info-used-in-maintainer-script
       - package-contains-info-dir-file
     + Removed:
       - info-documents-not-removed
       - install-info-not-called-with-quiet-option
       - missing-comma-after-substvar
       - postrm-calls-install-info
       - preinst-calls-install-info
 .
   * checks/control-file{,.desc}:
     + [RA] Rework missing-separator-between-lines to only include two
       specific package stanzas in the extra tag data and not include
       newlines.  Generalize it to also detect missing commas between
       substvars, replacing missing-comma-after-substvar.
   * checks/cruft{,.desc}:
     + [RA] Don't warn about outdated libtool if the package build-depends
       on libtool.  Thanks, Kurt Roeckx.  (Closes: #534134)
     + [RA] Fix typo in *-contains-ht-tags-file description.  Patch from
       Peter Pentchev.  (Closes: #534218)
   * checks/fields:
     + [ADB] If the Debian r-cran makefile include is used in the rules file,
       cdbs, debhelper and r-base-dev are required in Build-Depends.  Thanks,
       Charles Plessy.  (Closes: #534684)
     + [RA] Allow variable settings before ant, dpatch, and dh when
       checking debian/rules for dependencies.  Thanks, Ryan Niebur.
       (Closes: #535432)
   * checks/files{,.desc}:
     + [RA] Allow non-core Python packages to install files into
       /usr/lib/python*/dist-packages, the extension location for Python
       2.6 and later.  Thanks, Julian Andres Klode.  (Closes: #534212)
     + [RA] Check for /usr/share/info/dir files included in the package.
       Thanks, Bas Zoetekouw.  (Closes: #535566)
   * checks/infofiles{,.desc}:
     + [RA] Ignore dir files; they're a different error that's now caught
       by checks/files.
     + [RA] Remove all checking of maintainer scripts, since info dir
       entries are now handled with triggers.  Now always warn of info
       files without INFO-DIR-SECTION, even if install-info were called
       with a --section argument.  Warn of info files without a DIR-ENTRY
       section.  Thanks, Raphaël Hertzog.  (Closes: #534640)
     + [RA] Fix a bug in the detection of bad info file extensions that
       missed extensions containing the string "info".
     + [RA] Improve the long descriptions of tags about compression of info
       documents.
   * checks/init.d:
     + [RA] Take into account dangling symlinks in /etc/init.d.  Patch from
       Raphael Geissert.  (Closes: #534139)
     + [RA] Don't require symlink init scripts to be conffiles and realize
       they are included in the package even if the symlink is dangling.
       Thanks, Steve Langasek.  (Closes: #534326)
   * checks/manpages:
     + [RA] Don't warn about hyphens used as minus signs inside draft mode,
       since \- cannot be used there.  Based on a patch by Gennaro Oliva.
       (Closes: #535308)
   * checks/patch-systems:
     + [RA] Don't include the package name as extra data in tags that are
       only issued for source packages.  Patch from Raphael Geissert.
   * checks/scripts{,.desc}:
     + [RA] Lower certainty of read-in-maintainer-script to possible and
       mention false positives.  Thanks, Raphaël Hertzog.  (Closes: #534276)
     + [RA] Allow for output redirection when parsing diversions in
       maintainer scripts.  Thanks, Andreas Beckmann.  (Closes: #534942)
     + [ADB] Detect the use of the "source" bashism when the sourced filename
       contains a tilde or consists of a single character.  Thanks, Raphael
       Geissert and Ryan Niebur.
     + [RA] Avoid a false positive in the bashism check for trap with
       signal numbers when the the trap command contains a number.  Thanks,
       Julien Cristau.  (Closes: #534580)
     + [RA] Check for any maintainer script running install-info, since
       this is now handled with triggers.
   * checks/watch-file:
     + [RA] Use a consistent way of displaying the line number of a problem.
 .
   * collection/strings:
     + [ADB] Handle the fact that, when Lintian is run as root, the output of
       "file" on set[gu]id files may include the fact that they are set[gu]id.
       Thanks, Peter Pentchev.  (Closes: #533618)
 .
   * lib/Read_pkglists.pm:
     + [RA] Increment the package list format and expect the archive area
       as an additional argument.  Patch from Raphael Geissert.
   * lib/Spelling.pm:
     + [RA] Add changes misspelling.
     + [RA] Fix correction for endianness.  Thanks, Raphael Geissert.
       (Closes: #535582)
     + [RA] Only strip most punctuation from the end of each word, not from
       anywhere in the string.  We don't want to strip the period from
       res.size.  Thanks, Zack Weinberg.  (Closes: #534234)
   * lib/Tags.pm:
     + [RA] Replace all newlines in tag data with \n, not just the first.
       (Closes: #534141)
 .
   * man/lintian.1:
     + [RA] The archive area may be a comma-separated list of areas.  Patch
       from Raphael Geissert.
 .
   * private/update-coverage:
     + [RA] Provide a breakdown of tags only covered in the legacy test
       suite by test name.
 .
   * reporting/html_reports:
     + [RA] Change area back to section in the loop for generating the
       package index pages to be consistent with the page template.
     + [RA] Allow for multiple archive areas in the front page summary.
     + [RA] Add the archive area to the tag information.
   * reporting/templates/maintainer.tmpl:
     + [RA] Include the archive area in the source package heading if it's
       not main.  Include the archive area in the binary package heading if
       it's different than the source package archive area.
 .
   * unpack/list-{bin,src,udeb}pkg:
     + [RA] Collect information from multiple archive areas and include the
       archive area in the package list.  Patch from Raphael Geissert.
       (Closes: #516530)
Checksums-Sha1: 
 a335e888b483160766ee0602bc3f226530dbbac9 1167 lintian_2.2.13.dsc
 28b0275245d555fb2b7d72a40c691ea873eb65f0 722385 lintian_2.2.13.tar.gz
 b4fb1e784f44f5836441c707cdd3364526081b79 462854 lintian_2.2.13_all.deb
Checksums-Sha256: 
 35afe2ca26173e8f85b5a8da3de97b624b08dd74a69f8912fd64d99c05e90376 1167 lintian_2.2.13.dsc
 4687a24dddc127236466c06d8e4a36476553c0056d54f552d9c200b3027191e0 722385 lintian_2.2.13.tar.gz
 3501496ceddad214f4ff3d9bed5d80c0395b25b62aa415b9fd8d63c1ac475915 462854 lintian_2.2.13_all.deb
Files: 
 43ad42077220df7dfab500621579b181 1167 devel optional lintian_2.2.13.dsc
 c3cdf4c47ae2ce26e28045990e297989 722385 devel optional lintian_2.2.13.tar.gz
 0b5bac0161affb748236d632eeab9a1a 462854 devel optional lintian_2.2.13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpWF7oACgkQ+YXjQAr8dHalswCgi//qwHJ1YlKq71YRi5T4Mjm5
Oc4AoIVcKYbp4HwlAElAVBwshOrOxrFm
=V1sp
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Aug 2009 07:28:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:21:25 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.