Package: lintian Version: 2.5.12 Severity: important File: lib/Lintian/Util.pm User: ans...@debian.org Usertags: gpg-clearsign
Hi! The current parsing code in visit_dpkg_paragraph() does not correctly parse Armor Header Lines (as per RFC4880), which can make it get very confused on hostile files, like external .dsc or .changes. An example bogus file is attached, other variants are possible by changing the structure of the bogus markers and their content. Compare lintian ouput with what gpg outputs with: $ touch something_2.5.11.tar.gz $ lintian -ciI bogus.dsc dpkg-source: error: unrecognized file for a native source package: something_2.5.11.tar.gz internal error: dpkg-source -x failed with status 2 at /usr/share/perl5/Lintian/Util.pm line 846. warning: collect info unpacked about package bogus failed warning: skipping check of source package bogus $ gpg -o - bogus.dsc [...] Ansgar has been filing this kind of bugs, and pointed out to #695855. Thanks, Guillem
-----BEGIN PGP SIGNED MESSAGE Format: 3.0 (native) Source: bogus Binary: bogus Architecture: all Version: 2.5.11 Maintainer: Someone Else <some...@example.org> Standards-Version: 3.9.4 Files: d41d8cd98f00b204e9800998ecf8427e 0 something_2.5.11.tar.gz -----BEGIN PGP SIGNATURE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 3.0 (native) Source: lintian Binary: lintian Architecture: all Version: 2.5.11 Maintainer: Debian Lintian Maintainers <lintian-ma...@debian.org> Uploaders: Josip Rodin <joy-packa...@debian.org>, Colin Watson <cjwat...@debian.org>, Russ Allbery <r...@debian.org>, Adam D. Barratt <a...@adam-barratt.org.uk>, Raphael Geissert <geiss...@debian.org>, Niels Thykier <ni...@thykier.net> Standards-Version: 3.9.4 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=lintian/lintian.git Vcs-Git: git://anonscm.debian.org/lintian/lintian.git Build-Depends: binutils, bzip2, cdbs, debhelper (>= 9), default-jdk, diffstat, docbook-utils, docbook-xml, dpkg-dev (>= 1.16.1~), fakeroot, file, gettext, hardening-includes (>= 2.0), intltool-debian, javahelper (>= 0.32~), libapt-pkg-perl, libarchive-zip-perl, libc-bin (>= 2.13) | locales, libclass-accessor-perl, libclone-perl, libdpkg-perl, libdigest-sha-perl, libemail-valid-perl, libhtml-parser-perl, libipc-run-perl, libparse-debianchangelog-perl, libtest-minimumversion-perl, libtest-pod-coverage-perl, libtest-pod-perl, libtest-strict-perl, libtest-synopsis-perl, libtext-levenshtein-perl, libtext-template-perl, libtimedate-perl, liburi-perl, man-db, patchutils, perl, perl (>= 5.12) | libtest-simple-perl (>= 0.93), python, python-all-dev, python-numpy, quilt, rsync, t1utils, unzip, xz-utils, xz-utils (>= 5.1.1alpha+20120614) | xz-lzma | lzma, zip Package-List: lintian deb devel optional Checksums-Sha1: c83143fc76461efbdfd687ea63964c650de9511e 1140318 lintian_2.5.11.tar.gz Checksums-Sha256: 91f96295eac39c4711a1e53715f9c4324539665ef8aa4c1500af5ba5efd39cd5 1140318 lintian_2.5.11.tar.gz Files: 90000a9fc6b5a7061f63154a946f9b79 1140318 lintian_2.5.11.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQx6VFAAoJEAVLu599gGRC4RoQAKfu7Aex+SQaKEGa7XAYWAdn jySebBskYgZZP8udnU+xl3MgfErHkgTX6mAgDocJCbDeK5MQtTz/jYudrEAthYFm JeZxR28VdP9RXFcuAo0jq3Qiv8x55rnHtUiX0ke/ObINckD24qwVMQdnKPRXo4b/ Uyo5zvd13zmJvl3OYqu747mH7MYNSU3m6Wt9CbOpz/V6tSWEZb2PblN+cFj9PIxY iJRfGvb5c9Cb8/6vMxiuInP5+3asid8o/fdto3MLUOYJzrdCcw5bRj+wxdcDFnNQ BZdBbGARg9mMG5K+zZjbuQRC2PmeTm4Qgc/4vTdBeBHyaOYCVMCc5xro/9my10IN 1cmMWUS7YGLBwJf03yhjO26GTVftdUpByxyRFOy3+YCy1WBHX45e9msUdrayWjRu 68rCIRtlBCzwQZ+GN2ZjzjgLwzWxq0nZHEb2TUS8/IId5ECOs3D7zsyrBqkr2WNm bethycpo3hlsjw9iAMM9IQwQqKPVmoJV6b/1UPpMh2ErMo+sVMlErtUai8r0VcZA i79gqF6TlIRlgoPmEHq1RIM3RItcp1Nhmg0cJ/NAMe6+euQfLmv5ilbF0lA80WQw wZzL5VfZzX0SsYufvHiyanEJWRN8lttKSldxaMRNLPXlRZQrFwFN7azw7ThRk/JA x2MBOVbBpM428SMVf7zu =1UmQ -----END PGP SIGNATURE-----
