-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 16 Apr 2013 17:32:09 +0200 Source: lintian Binary: lintian Architecture: source all Version: 2.5.12 Distribution: experimental Urgency: medium Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org> Changed-By: Niels Thykier <niels@thykier.net> Description: lintian - Debian package checker Closes: 359059 591812 615516 652380 652595 659335 668437 670963 678857 681061 683737 685299 692548 693918 695839 695866 695967 696230 696960 697534 697693 697916 698234 698602 698610 698704 698720 699452 699628 699670 700110 700543 700882 701061 703490 703978 703985 703989 704446 705175 Changes: lintian (2.5.12) experimental; urgency=medium . * Summary of tag changes: + Added: - ambiguous-paragraph-in-dep5-copyright - binary-file-built-without-LFS-support - debian-tests-control-is-not-a-regular-file - debian-tests-control-uses-national-encoding - debug-file-with-no-debug-symbols - desktop-entry-lacks-keywords-entry - dir-or-file-in-build-tree - dir-or-file-in-etc-opt - dir-or-file-in-home - file-name-is-not-valid-UTF-8 - font-adobe-copyrighted-fragment-no-credit - font-package-not-multi-arch-foreign - illegal-runtime-test-name - inconsistent-testsuite-field - license-problem-gfdl-invariants - license-problem-gfdl-invariants-empty - menu-icon-uses-relative-path - missing-runtime-test-file - missing-runtime-tests-field - package-contains-broken-symlink-wildcard - package-contains-unsafe-symlink - runtime-test-file-is-not-a-regular-file - source-contains-unsafe-symlink - unknown-runtime-tests-feature - unknown-runtime-tests-field - unknown-runtime-tests-restriction - unknown-testsuite - vcs-field-bitrotted - vcs-git-uses-invalid-user-uri - zip-parse-error + Removed: - unneeded-build-dep-on-quilt . * checks/*: + [NT] Avoid following unsafe symlinks. (CVE-2013-1429) * checks/binaries{,.desc}: + [NT] Accept libx32 as a bi-arch directory. + [NT] Correct reference policy reference. Thanks to Samuel Bronson for the correction. (Closes: #698234) + [NT] Detect debug ELF binaries with no debug symbols. Thanks to Nelson A. de Oliveira for the report. (Closes: #668437) + [NT] Check for binaries built without LFS. This can only be checked for 32bit binaries as 64bit binaries have LFS by definition. Thanks to Guillem Jover for the report and patches. (Closes: #670963) + [NT] Apply patch from Samuel Bronson to bump severity (but decrease certainty) of the "not linked against libc" tags. (Closes: #698720) * checks/copyright: + [NT] Apply patch from Evgeni Golov to avoid false positive tag when the MPL-2.0 license appears in the copyright file. (See #626454) * checks/cruft{,.desc}: + [NT] Do not emit the license-problem-json-evil tag for non-free packages. + [NT] Apply patch from Bastien Roucariès to catch GFDL licenses with invariants (etc.). (Closes: #695967) + [NT] Correct description of an autotools tag. Thanks to Alberto Garcia and Timo Juhani Lindfors for the report and patch. (Closes: #703490) + [NT] Check for unsafe symlinks (outside common testsuite paths). * checks/debconf: + [NT] Fix several path traversal issues that could leak information about the host system. (CVE-2013-1429) * checks/debhelper{,.desc}: + [JW] Assume the proper python helpers are called if a (Makefile) variable is used. (Closes: #659335) + [JW] Promote python-depends-but-no-python-helper and python3-depends-but-no-python3-helper to non-experimental. * checks/description: + [NT] Ignore "extended-description-is-probably-too-short" for metapackages. Thanks to Axel Beckert for the report. * checks/duplicate-files.desc: + [NT] Demote severity of "duplicate-files" tag to pedantic. * checks/fields{,.desc}: + [NT] Apply patch from Samuel Bronson to detect some broken or poor Vcs URLs. Also thanks to James McCoy for his report. (Closes: #652595) + [JW] Reduce severity of b-d-on-python-dev-with-no-arch-any to minor. + [NT] Skip "depends-on-packaging-dev" for metapackages. + [NT] Apply patch from Gregor Herrmann to catch metacpan homepage links with versions. (Closes: #700110) + [NT] Apply patch from Vasudev Kamath to detect fonts packages without a Multi-Arch foreign (or allowed) field. (Closes: #701061) * checks/files{,.desc}: + [NT] Apply patch from Bastien Roucariès to catch paths in (common) build dirs. (Closes: #678857) + [NT] Do not suggest the use of "virtual package" as a way to suppress empty-binary-package. Lintian will still accept it the phrase for now. + [NT] Accept libx32 as an bi-arch directory. + [NT] Ignore gzipped lintian overrides when checking whether a package is empty. + [NT] Fix typo of Pre-Depends, thanks to Raúl Benencia for spotting it. (Closes: #699452) + [NT] Add patch from Bastien Roucariès to check for another adobe font license issues. (Closes: #705175) + [NT] Test for use of file names that are contain invalid UTF-8 byte sequences. Thanks to Helmut Grohne for the suggestion. (Closes: #704446) * checks/init.d: + [NT] Fix regression where Lintian would not properly match init.d passed to update-rc.d. Thanks to Michael Meskes for reporting. (Closes: #698602) + [NT] Fix possible symlink traversal that could leak information about the host system. (CVE-2013-1429) * checks/java{,.desc}: + [NT] Report possibly broken jar files. * checks/md5sums: + [NT] Fix path traversal issue that could leak information about the host system. * checks/menu-format{,.desc}: + [NT] Apply patch from Bastien Roucariès to detect missing "Keywords" in desktop files. Thanks to Jeremy Bicha for the report. (Closes: #693918) + [NT] Apply patch from Matthias Klumpp to add missing "Science" category. (Closes: #697693) + [NT] Apply patch from Thomas Preud'homme to detect uses of relative icons in menu files. (Closes: #697916) + [NT] Document why only XPM are allowed in the tag description of menu-icon-not-in-xpm-format. (Closes: 591812) * checks/menus: + [NT] Fix path traversal issue that could leak information about the host system. (CVE-2013-1429) * checks/patch-systems{,.desc}: + [NT] Retire unneeded-build-dep-on-quilt, it is only a pedantic tag and apparently not too accurate. Thanks to Charles Plessy and Frank Kuester for the reports. (Closes: #615516, #681061) * checks/po-debconf: + [NT] Unconditionally set INTLTOOL_EXTRACT. * checks/rules: + [NT] Remove ant1.7 as alternative to ant as ant1.7 has been removed from Wheezy. * checks/scripts: + [NT] Treat scripts in /usr/src/ like they were documentation. * checks/shared-libs: + [NT] Special case gcc packages when looking for dev symlinks. gcc stores its dev symlinks in some special directories. + [NT] Fix path traversal issue that could leak information about the host system. (CVE-2013-1429) * checks/source-copyright{,.desc}: + [JW,NT] Add a separate tag for ambiguous DEP-5 paragraphs, where Lintian cannot reliably figure out what is intended. Thanks to Julian Taylor for the report. (Closes: #652380) + [NT] Add paragraph line number to the "field typo" tag. * checks/symlinks{,.desc}: + [NT] Warn about broken symlinks that contains a literal "*" in their target. This is usually a sign that a wildcard did not properly expand. Thanks to Bernd Zeimetz for the report. (Closes: #683737) + [NT] Demote certainty of package-contains-broken-symlink to wild-guess. + [NT] Check for unsafe symlinks in binary packages. * checks/testsuite{,.desc}: + [NT] New check written by Nicolas Boulenguez to catch some mistakes with the new autopkgtest tests. . * collection/*: + [NT] Avoid reading files outside the package root. (CVE-2013-1429) * collection/{changelog-file,debian-readme}: + [NT] Ignore files in usr/doc/<pkg>. + [NT] Skip collection if usr/share/doc/<pkg> is not contained within the package root. (CVE-2013-1429) * collection/hardening-info{,-helper,.desc}: + [NT] Whitelist "memset" and "memmove" as "always safe" functions. Thanks to Sebastian Ramacher for the suggestion and Roland Stigge for the report. (Closes: #685299) + [NT] Remove work around for #677530 * collection/index{,.desc}: + [NT] Fix missing trailing slash on dirnames and bump index version accordingly. Thanks to Nicolas Boulenguez for noticing. * collection/java-info: + [NT] Gracefully handle broken Jar files. Thanks to Paul Tagliamonte for the report. (Closes: #700543) * collection/strings: + [NT] Fix a regression in filtering out "debug" ELF binaries. . * data/binaries/arch-regex: + [NT] Recognise x32 as an ELF32 binary. * data/fields/obsolete-packages: + [NT] Apply patch from Guillem Jover to add fuse-utils as an obsolete package. (Closes: #697534) * data/files/locale-codes: + [NT] Refresh against sid data files. * data/menu-format/add-categories: + [NT] Apply patch from Matthias Klumpp to add missing subcategories. * data/output/manual-references: + [NT] Refresh with Policy 3.9.4. * data/scripts/interpreter: + [NT] Add cfagent as a known interpreter. Thanks to Andreas Mundt for the suggestion. (Closes: #699670) * data/scripts/versioned-interpreters: + [NT] Apply patch from Thijs Kinkhorst to add lua5.2 as a versioned alternative to lua. (Closes: #698704) * data/shared-libs/ldconfig-dirs: + [NT] Add libx32 and usr/libx32 used by some gcc x32 bi-arch packages. * data/spelling/corrections{,-case}: + [JW] Add correction for "privileges". (Closes: #700882) + [NT] Warn about incorrect case of "OpenStreetMap". Thanks to Paul Wise for the patch. . * debian/control: + [NT] Bump dependency on hardening-includes to avoid having to work around #677530. + [NT] Add XS-Testsuite for autopkgtest tests. + [NT] Add Build-Depends on libtest-perl-critic-perl. + [NT] Add (Build-)Depends on liblist-moreutils-perl and libfile-basedir-perl. + [NT] Add versioned (Build)-Depends on perl | libautodie-perl. * debian/lintian.install: + [NT] Install Test::Lintian in /usr/share/lintian/lib. * debian/rules: + [NT] Include the new Tutorial pods in the "api-doc" target. * debian/tests/{control,testsuite,testsuite-legacy}: + [NT] New file. . * doc/tutorial/Lintian/Tutorial{/WritingChecks}.pod: + [NT] Add POD tutorial on writing checks. . * frontend/lintian{,-info}: + [NT] Add --include-dir command line option. This can be used to load additional Lintian checks, profiles, libraries or data. (Closes: #359059) * frontend/lintian: + [NT] Remove "make-shift" lab-query support now that Lintian::Lab supports it. + [NT] Add new command line option "--[no-]user-dirs" to disable loading from $HOME/.lintian{rc,/} and /etc/lintian{rc,/}. + [NT] Error out early if a check cannot be loaded. + [NT] Make --suppress-tags{,--from-file} do something when used with --check-part and document that --tags causes the option to be ignored. + [NT] Accept the magic token "{VENDOR}" as a part of the value to --profile. + [NT] Add new command line option "--ignore-lintian-env" to make lintian ignore all environment variables starting with LINTIAN_. + [NT] Add a new command line option --no-display-experimental and --default-display-level. These options can be used to override some display options from the config file. (Closes: #703985) + [NT] Also search for the lintianrc file in XDG_CONFIG_{HOME,DIRS}. The default paths are now ~/.config/lintian/lintianrc and /etc/xdg/lintian/lintianrc. The previous lintianrc paths are still accepted. + [NT] Stop looking for lintianrc files in the LINTIAN_ROOT. + [NT] Stop exporting LINTIAN_LAB to processes run by lintian. + [NT] Use of --root (or setting LINTIAN_ROOT) will now imply the option --no-user-dirs by default. . * lib/*: + [NT] Use "parent" instead of the "base" pragma. * lib/Lintian/Collect.pm: + [NT] Add "is_non_free" method to easily check of a given package appears to be non-free. * lib/Lintian/Collect/Binary.pm: + [NT] Re-instate the "TEXTREL" marker. This fixes a regression where shared-libs compiled without pic was not reported. Thanks to Dmitry Shachnev for the assistance in debugging this. + [NT] Recognise packages in section "metapackages" as a metapackage. Thanks to Axel Beckert for the report. (Closes: #698610) * lib/Lintian/Collect/Package.pm: + [NT] Ensure the "root" entry of indices do not contain itself. (Closes: #695866) + [NT] Add warning to unpacked and debfiles when they are given a path with leading slash or dot-slash. + [NT] When a check requests access to a raw file (or dir) in the package, ensure that the resulting path does not "escape" the top level directory. This should preemptively guard against some (but not all) traversal attempts. * lib/Lintian/Path.pm: + [NT] Document that link_resolved is not sufficient to test the "safeness" of a symlink. * lib/Lintian/Command/Simple.pm: + [NT] Use constant time lookup access instead of linear scan with "hashref" wait. * lib/Lintian/Lab.pm: + [NT] Add lab_query method to handle lab-queries directly. + [NT] Fix bitrot of repair_lab and rename it to repair for consistency. * lib/Lintian/Lab{,/Manifest}.pm: + [NT] Add support for grouping of manifests. * lib/Lintian/Lab/Manifest.pm: + [NT] Fix an error in visit_all when sufficient keys for an exact look up was given. * lib/Lintian/Processable.pm: + [NT] Fix issue where packages loaded from the lab indices would sometimes get a wrong source-version. * lib/Lintian/Relation/Version.pm: + [NT] Add and export "versions_comparator" that can be used for sorting purposes. * lib/Lintian/Tag/Info.pm: + [NT] Use "&" in the manpage ref URLs to generate proper HTML. Thanks to Vasudev Kamath for reporting the issue. + [NT] Produce a more helpful error message when a tag has an invalid severity or certainty. (Closes: #703978) * lib/Lintian/Tags.pm: + [NT] Deal with parsing an ambiguous override a bit better. This solves false-positive malformed-override, where Lintian misparsed the tag name as a package name. (Closes: #699628) * lib/Lintian/Util.pm: + [NT] Reject partially signed Deb822 files. Most Deb822 files are not signed at all; but those that are should be completely covered by a signature. (Closes: #696230) + [ADB] Fix a typo in the matching of expected delimiters for some signed messages; thanks Samuel Bronson. + [NT] Add sub to check if a path is contained within a given dir. + [NT] Fix bug in resolve_pkg_path that made it resolve some links incorrectly. + [NT] Document that resolve_pkg_path is not sufficient to test the "safeness" of a symlink. . * man/lintian.pod.in: + [NT] Document that --pedantic is the same as "-L +=pedantic". (Closes: #703989) + [NT] Fix typo of the "override" variable in the config example. . * private/refresh-locale-codes: + [JW,NT] Ignore the "zxx" locale code, which means "No linguistic content". (Closes: #692548) . * reporting/config: + [JP] Remove unused $GRAPH_DIR configuration option. * reporting/graphs/{statistics,tags}.gpi: + [JP] Tweak graph size to allow longer labels, and force font family. * reporting/harness: + [NT] Add --to-stdout option to emit log information to stdout as well as the log files. + [NT] Always schedule packages in groups. Otherwise, binNMU'ed binaries would not be tested together with their source package (and architecture independent packages). + [NT] Schedule groups in chunks (default 512 per chunk). This makes the Lintian processes shorter and makes memory reclaimable sooner. (Closes: #695839) + [NT] Remove "make-shift" lab-query support now that Lintian::Lab supports it. * reporting/html_reports: + [NT] Update xrefs to include source version. + [NT] Generate a text file suitable for Apache's RewriteMap to map source packages to the full report for that source. Thanks to Joerg "Gannef" Jasper for the suggestion to use RewriteMap. (Closes: #696960) + [JP] Fix version labels glitches. + [JP] Use global $GRAPHS_RANGE_DAYS. + [JP] Pass graph variables to index and tag templates. * reporting/lintian.css: + [JP] Tweak graph alignment. * reporting/templates/{packages,maintainer,tag}.tmpl: + [NT] Properly handle multiple versions of the same source and add versioned anchors to them. * reporting/templates/{index,tag}.tmpl: + [JP] Include history graphs in HTML templates. * reporting/templates/tag.tmpl: + [NT] Fix "empty <ul>" tag when tag has no "extra" information. Thanks to Vasudev Kamath for reporting the issue. Checksums-Sha1: ddf3c09ac3eef3279c01143e76fad1f179f3fbde 2744 lintian_2.5.12.dsc 4a3406ccca10ba23370b1bdc6b289325492d55da 1214604 lintian_2.5.12.tar.gz 53a0feb6f84d5e5aa8b45be10b2509806c5ba258 764638 lintian_2.5.12_all.deb Checksums-Sha256: 786a1a4514c8a164ece69e0993233a21239c4154a319769b78f12ca00f4a2e55 2744 lintian_2.5.12.dsc ff9e384c6ccca2d548f1a0556ff48a618a459202436ef272353e5f2f2e285a69 1214604 lintian_2.5.12.tar.gz 5bbda1a37dff54fed6a147238ed01c4ed5f42cd35bb23f62f2bf2985d4491e9c 764638 lintian_2.5.12_all.deb Files: 5fb5f694a00e8f335221c67a9411e9e0 2744 devel optional lintian_2.5.12.dsc ebbe19d8d72bf1736ddf3c5589bf26d4 1214604 devel optional lintian_2.5.12.tar.gz 3dfec91cac8da7b18bee9d901cd7f333 764638 devel optional lintian_2.5.12_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJRbXXBAAoJEAVLu599gGRCn8oP/2WAwhVIDySPMTj20WNRIAx4 I9UdqfB0LHr0hG7nk+9MI7pk5kPtUqo9Bw3qioxUu/8Seq6KIgsM40oyfdy5/N4a 3tSv3zwrQGWV9NDprzfjPmANk6tMHCt0IhAYhrzPIwIQd6cHwUBCdX7HwyJr/DoK cVa+C4AYtFb3wnDkhxb8ri7JGyb97d5OQpVuLGyK4qCSMbQRABdnARcrlCPAu0tl uuA3uVZU0m8nIlk4Cu907AvbT73WPgGefmuLRn6wrgLqOd+ZY5VKzkg4vt8Gwyjy ZI5mOeEci2Uk8hKQ1f6gRQLKAh1IqRlErmVoRaksqe5RiZrkZ6vG877uDCbhhszB AS0UG+tVBypQxc9WfLtmsq3rvnrqXnis0IpIXWAb2AYxlcFGSoXr88LZhToDZIco CYUusUIKiQU7V3BEk2zqmlRa9jW6rDKHXNYaoh0qpPDH6jSs+LahMimnjfn6Xb5e wcYsuyDj0n+Qea6lX4dvRayF5Htv9vfBd3EW6MrYsEarCCU5YBRWD9cnoE2r/mfq pUPyJTXPlqVDm6QU1do7bpxjlxomJBgcRTQCJ9MKI+qqkqsGZQOXeKOB4g2njzTh b2IEF1IGQn0PInjBIfwvwtRs916v20pR5/HGzL1vS/4TwRezagtg4uClZ3MUNiaZ 4IIOE7aSbi9ub05ZZOHJ =DHVN -----END PGP SIGNATURE-----