On 2011-08-11 19:51, Adam D. Barratt wrote: > tag 637384 + squeeze > thanks > > On Wed, 2011-08-10 at 21:04 +0200, Niels Thykier wrote: >> I would like permission to backport the following security >> related patch to Lintian in stable. The security team has >> already told me that they were not interested in a security >> upload. > > I'm not surprised tbh, assuming that the issue indeed only allows file > existence testing, rather than content retrieval. >
As far as I can tell, there is no way to exploit the particular checks here to do content retrieval. Slightly off-topic: I believe one of the checks in sid/testing could be used to tell if a file contained a "non-comment" line, but I guess that is exciting as it gets this time. :) >> +lintian (2.4.3+squeeze1) stable; urgency=low >> + >> + * checks/debian-source-dir: >> + + [NT] Fixed information disclosure issue, where Lintian could >> + be tricked into disclosing the present of files on the host > > As per other people's IRC poking - and the patch header :-) - > s/present/presence/. > >> + system via specially crafted source packages. > [...] Fixed this one :) >> +So far as it is copyrightable at all, this test case is >> + Copyright © 2009 Russ Allbery <r...@debian.org> >> + Copyright © 2009 Adam D. Barratt <a...@adam-barratt.org.uk> > > Hmmm, interesting... > Copy/waste from another test... I can fix it if you insist, but most of the tests in 2.4.3..2.5.1 suffers from the same issue. There is a reason that I added skeletons for most of the test suites in 2.5.2. :P > Regards, > > Adam > ~Niels -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e44dfa5.8070...@thykier.net
