Debian Bug report logs -
#861958
lintian: insecure YAML validation [CVE-2017-8829]
Reported by: Jakub Wilk <jwilk@jwilk.net>
Date: Sat, 6 May 2017 13:33:01 UTC
Severity: grave
Tags: confirmed, security
Found in version lintian/2.5.41
Fixed in versions lintian/2.5.50.4, lintian/2.5.51
Done: Niels Thykier <niels@thykier.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, team@security.debian.org, check-all-the-things@packages.debian.org, dod@debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>
:
Bug#861958
; Package lintian
.
(Sat, 06 May 2017 13:33:04 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: lintian
Version: 2.5.41
Tags: security
Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.
This module is happy to deserialize objects of any existing Perl class. For
Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory
trees. (There might be other exciting ways to exploit this bug, but I'm too
lazy to investigate further.)
I've attached proof-of-concept exploit:
$ mkdir /tmp/moo
$ ls -d /tmp/moo
/tmp/moo
$ lintian -C upstream-metadata badyaml_1.dsc
$ ls -d /tmp/moo
/bin/ls: cannot access '/tmp/moo': No such file or directory
--
Jakub Wilk
[badyaml_1.tar.xz (application/x-xz, attachment)]
[badyaml_1.dsc (text/plain, attachment)]
Severity set to 'grave' from 'normal'
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org
.
(Sat, 06 May 2017 14:00:03 GMT) (full text, mbox, link).
Added tag(s) confirmed.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org
.
(Sat, 06 May 2017 17:27:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>
:
Bug#861958
; Package lintian
.
(Sat, 06 May 2017 17:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominique Dumont <dod@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>
.
(Sat, 06 May 2017 17:33:04 GMT) (full text, mbox, link).
Message #12 received at 861958@bugs.debian.org (full text, mbox, reply):
On samedi 6 mai 2017 13:01:50 CEST you wrote:
> Lintian uses the YAML::XS module to validate YAML in
> debian/upstream/metadata.
Unless debian/upstream/metadata needs fancy YAML format (e.g. anchor alias
tags ...), the easiest way out it to use YAML::Tiny instead of YAML::XS. This
should be a drop-in replacement.
> This module is happy to deserialize objects of any existing Perl class. For
> Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> directory trees. (There might be other exciting ways to exploit this bug,
> but I'm too lazy to investigate further.)
I wonder if this behavior should be considered as a YAML bug...
All the best
--
https://github.com/dod38fr/config-model/ -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/ -o- irc: dod at irc.debian.org
Changed Bug title to 'lintian: insecure YAML validation [CVE-2017-8829]' from 'lintian: insecure YAML validation'.
Request was from Niels Thykier <niels@thykier.net>
to control@bugs.debian.org
.
(Mon, 08 May 2017 06:03:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>
:
Bug#861958
; Package lintian
.
(Wed, 10 May 2017 17:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to dod@debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>
.
(Wed, 10 May 2017 17:03:03 GMT) (full text, mbox, link).
Message #19 received at 861958@bugs.debian.org (full text, mbox, reply):
Ive logged a bug to upstream YAML parser library:
https://github.com/ingydotnet/yaml-pm/issues/176
HTH
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>
:
Bug#861958
; Package lintian
.
(Wed, 10 May 2017 18:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Niels Thykier <niels@thykier.net>
:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>
.
(Wed, 10 May 2017 18:45:03 GMT) (full text, mbox, link).
Message #24 received at 861958@bugs.debian.org (full text, mbox, reply):
Dominique Dumont:
> Ive logged a bug to upstream YAML parser library:
>
> https://github.com/ingydotnet/yaml-pm/issues/176
>
> HTH
>
Thanks. :)
~Niels
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>
:
Bug#861958
; Package lintian
.
(Thu, 11 May 2017 21:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>
.
(Thu, 11 May 2017 21:54:02 GMT) (full text, mbox, link).
Message #29 received at 861958@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone 861958 -1
reassign -1 libyaml-libyaml-perl
retitle -1 libyaml-libyaml-perl: Unconditionally instantiates objects from yaml data
thanks
Dominique Dumont wrote...
> On samedi 6 mai 2017 13:01:50 CEST you wrote:
> > This module is happy to deserialize objects of any existing Perl class. For
> > Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> > directory trees. (There might be other exciting ways to exploit this bug,
> > but I'm too lazy to investigate further.)
>
> I wonder if this behavior should be considered as a YAML bug...
At least I consider the unconditional instantiation of object a bug,
hence cloning.
As previously mentioned in debian-perl@, there is no easy solution,
assuming some code out there intentionally uses that feature, and in
a safe matter. If we choose to ignore that, at least for the time being,
we can disable the blessing entirely by dropping the three sv_bless
invocations in <LibYAML/perl_libyaml.c>. This makes the attached
reproducer pass.
Before releasing that change however, there should be an audit of all
the roughly 40 packages in Debian that use YAML::XS to avoid unintended
breakage. In the worst case, that simple approach isn't feasible and
the instantiation needs to be made configurable - something that
requires coordination with upstream[1] and/or other distributions.
We should discuss this during the sprint.
Christoph
[1] But see https://github.com/perl11/cperl/issues/198
[reprod (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug 861958 cloned as bug 862373
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org
.
(Thu, 11 May 2017 21:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>
:
Bug#861958
; Package lintian
.
(Sat, 13 May 2017 09:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>
.
(Sat, 13 May 2017 09:51:08 GMT) (full text, mbox, link).
Message #36 received at 861958@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone 861958 -1
reassign -1 libyaml-syck-perl
retitle -1 libyaml-syck-perl: Unconditionally instantiates objects from yaml data
thanks
This problem exists in libyaml-syck-perl as well. However, disabling
this feature will be easier since there's already a switch ("LoadBlessed").
Christoph
[reprod (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug 861958 cloned as bug 862475
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org
.
(Sat, 13 May 2017 09:51:09 GMT) (full text, mbox, link).
Reply sent
to Niels Thykier <niels@thykier.net>
:
You have taken responsibility.
(Sat, 03 Jun 2017 17:06:05 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@jwilk.net>
:
Bug acknowledged by developer.
(Sat, 03 Jun 2017 17:06:05 GMT) (full text, mbox, link).
Message #43 received at 861958-close@bugs.debian.org (full text, mbox, reply):
Source: lintian
Source-Version: 2.5.50.4
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 03 Jun 2017 16:48:24 +0000
Source: lintian
Binary: lintian
Architecture: source
Version: 2.5.50.4
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
lintian - Debian package checker
Closes: 861958 863020
Changes:
lintian (2.5.50.4) unstable; urgency=medium
.
* checks/upstream-metadata.pm:
+ [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
parser executes code. (Closes: #861958, CVE-2017-8829)
.
* t/*:
+ [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring
debian/files by default. This includes renaming a folder in the
the t/tests/legacy-filenames test. (Closes: #863020)
Checksums-Sha1:
7c95f75eae2606edcc148900fa6d2bb4d81ac855 2821 lintian_2.5.50.4.dsc
99dc935a10bff7ecd1207653486622e4b5e41b81 1233912 lintian_2.5.50.4.tar.xz
b2d03fa69a97248c122b53ebfd5d05eae887df13 17485 lintian_2.5.50.4_source.buildinfo
Checksums-Sha256:
cafb8a57727b33955f60d92818afba807fe83bd5244f7db10acdf3135182136f 2821 lintian_2.5.50.4.dsc
03c10567e3227088323575a4fcb8c271029edc3352d5fa61474f1716b69da1bb 1233912 lintian_2.5.50.4.tar.xz
c073b8ce11923eb59c570fcf82675235f06f89704eceb0b1d7034298e809ac41 17485 lintian_2.5.50.4_source.buildinfo
Files:
3d151786f8d7f24b441ee167dd3b9ecf 2821 devel optional lintian_2.5.50.4.dsc
76932cf1bb079f6461af002e6e27f234 1233912 devel optional lintian_2.5.50.4.tar.xz
f57f24dcbe539a010ff3a127e69bec24 17485 devel optional lintian_2.5.50.4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEsxMaRR2/33ygW0GXBUu7n32AZEIFAlky6YcACgkQBUu7n32A
ZEJ2iQ//aNy18Zf9RAcoT7g8VFkzwcCu83JPxwPtnii7FaE2Z80U2kEyINGDjd8s
3Fp4KLga3Zeq98TZ69BSXSSlCx2N2g3g5PndrQq4rgX4k8mih4G8SSIz7Ng5cRRi
qFwfRdaYZWIS1lluLYHzgsnczjbS/o7c8J38xyI0Z4K/BaLx2CTA/KvQxXFjFBvu
5R0C6+xfxyBaZsGgtBe8EM8QGvIJpp1QbL5ePHBf20l697cccHHXlDvM1ySlY/mn
VNL607TzzWTZMyPgnox2mx1Tv278QQUS9QVSdmz7Y4ZZn+BcRpDLjblQONCqiZAA
A1BgaI0uD7sua+u9iW1DLvclDZSyfaoDoI9pyPLcw3DrfZMjgn+2LxPNSfNrtKjz
9mBf+iUfTem8oEJ0jnoOEC1r8Eezd5IN1bkd5EwPdwqQXhEOR3/u2l79rMSAAAub
0wGInutMYkNj4sZuQs9ovGbkh9Bb9KjYvp9y3asfP2mOA7Pk6xLOOwBY4AJ9SZF2
GWrC0tV9w+EXSaWZvYa2K7L5cQFvRxWXlEECTxDUb5WdYbqsmE82vVaIHxHkWAvR
NQRE4Q/g1WDC/MoOT+o+p9n+8bSYxAo5Xt58P2/VViaMO7usqioxowMwjOYBPsdB
Oi7WSNha1OITAg0Uw4hE+G6DplV02GqlzN9o5158JTNCJf28EwM=
=HdsF
-----END PGP SIGNATURE-----
Reply sent
to Niels Thykier <niels@thykier.net>
:
You have taken responsibility.
(Sun, 18 Jun 2017 09:23:13 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@jwilk.net>
:
Bug acknowledged by developer.
(Sun, 18 Jun 2017 09:23:13 GMT) (full text, mbox, link).
Message #48 received at 861958-close@bugs.debian.org (full text, mbox, reply):
Source: lintian
Source-Version: 2.5.51
We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Jun 2017 07:57:57 +0000
Source: lintian
Binary: lintian
Architecture: source
Version: 2.5.51
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
lintian - Debian package checker
Closes: 540294 633850 645455 695345 698723 814521 815233 829649 848878 849470 849880 851215 852005 852084 852145 852369 852404 852407 852409 852410 852411 852413 852414 852416 852419 852421 852426 852891 854132 855243 856155 856312 856857 856954 856975 857194 857654 857655 857656 858117 858326 859412 859467 860419 860558 861509 861599 861958 863020 863386
Changes:
lintian (2.5.51) unstable; urgency=medium
.
* Summary of tag changes:
+ Added:
- debian-control-has-dbgsym-package
- debian-control-has-obsolete-dbg-package
- debian-rules-parses-dpkg-parsechangelog
- desktop-entry-lacks-icon-entry
- distribution-and-changes-mismatch
- distribution-and-experimental-mismatch
- gir-in-arch-all-package
- gir-missing-typelib-dependency
- gir-section-not-libdevel
- multiarch-foreign-shared-library
- r-data-without-readme-source
- readme-source-is-dh_make-template
- repeated-trigger-name
- systemd-service-file-refers-to-obsolete-bindto
- testsuite-autopkgtest-missing
- typelib-in-arch-all-package
- typelib-missing-gir-depends
- typelib-not-in-multiarch-directory
- typelib-package-name-does-not-match
- typelib-section-not-introspection
- unknown-trigger
- unreleased-changes
- uses-implicit-await-trigger
+ Removed:
- ancient-autotools-helper-file
- init.d-script-missing-dependency-on-remote_fs
- maintainer-script-should-not-use-ancient-dpkg-epoch-check
- maintainer-script-should-not-use-ancient-dpkg-multi-conrep-check
- outdated-autotools-helper-file
- package-would-benefit-from-build-arch-targets
- suidregister-used-in-maintainer-script
.
* checks/binaries.{desc,pm}:
+ [NT] Apply patch from Adrian Bunk to bump severity of the
hardening-no-pie to a W-tag and improve the tag description.
(Closes: #856155)
+ [NT] Apply patches from Michael Stapelberg to improve handling
of golang binaries. (Closes: #857654, #857655, #857656)
* checks/changelog-file.pm:
+ [BR] Check also bug over 1000000 as improbable. Bug below
50004 are not archived and are thus improbable.
* checks/changes-file.{desc,pm}:
+ [BR] Apply patch by Simon McVittie to detect unreleased package
uploaded to unstable and mismatched .changes and
Changes: distribution. (Closes: #540294).
* checks/control.{desc,pm}:
+ [BR] Detect dbgsym package in control file. (Closes: #858117).
+ [BR] Warn about obsolete -dbg package.
* checks/cruft.{desc,pm}:
+ [BR] Document long line tagged source-is-missing as a feature
not a bug. (Closes: #849470).
+ [BR] Correct a typo in description of tag
license-problem-convert-utf-code.
+ [BR] Avoid a false positive in gfdl file detection.
+ [NT] Drop tags about outdated autotools config.guess and
config.sub files. These days debhelper automatically updates
them when people use the dh-sequencer and the check is not
geared for more thorough analysis. (Closes: #848878)
+ [CL] Check that README.source is not the dh_make template.
(Closes: #633850)
* checks/debian-readme.{desc,pm}:
+ [NT] Locate the README.Debian using the index rather than relying
on a collection.
* checks/fields.pm:
+ [BR] Enforce naming convention for debug package. (Closes: #645455).
+ [NT] Avoid proposing "/git/git/" as a part of the canonical URL for
anonscm.debian.org. Thanks to Andreas Beckmann for spotting the
bug. (Closes: #851215)
+ [NT] Apply patch from Dylan Aïssi to recommend "javascript" section
for libjs packages. Previously, lintian would recommend "web".
(Closes: #863386)
* checks/files.pm:
+ [BR] Do not report duplicates for package-installs-apt-preferences
and package-installs-apt-sources. (Closes: #814521).
+ [NT] Apply patch from Helmut Grohne to detect some possible invalid
uses of "Multi-Arch: foreign". (Closes: #856975)
+ [NT] Improve the empty-binary-package tag by adding more common
files that should be ignored. Thanks to Helmut Grohne for all the
research behind it. (Closes: #856857)
+ [BR] Detect symlink pointing to builddir. (Closes: #860419)
+ [CL] Detect RData without README.source. (Closes: #815233)
+ [NT] Remove work around for segmentation faults in t1disasm from
t1utils (<< 1.38-4~). Given Jessie is the minimum supported Debian
version, we can now assume t1utils to be (>= 1.38-4).
* checks/gir.{desc,pm}:
+ [NT] Add check for gir packages written by Simon McVittie.
(Closes: #695345)
* checks/init.d.{desc,pm}:
+ [NT] Remove check for init.d scripts accessing /usr without a
$remote_fs dependency as /usr must now be mounted by the initramfs.
(Closes: #829649)
* checks/menu-format.{desc,pm}:
+ [NT] Update the reference to Desktop Entry Specification to point
to version 1.1.
+ [NT] Apply patch from Laurent Bigonville to check desktop files
for missing "Icon" field. (Closes: #854132)
* checks/rules.{desc,pm}:
+ [NT] Drop "package-would-benefit-from-build-arch-targets". The
dpkg-buildpackage refuses to build packages that trigger this tag.
Also, the tag implies two other "W" tags so contributors are still
notified of a potential problem.
+ [CL] Check for manual parsing of dpkg-parsechangelog output now that
we have /usr/share/dpkg/pkg-info.mk.
* checks/scripts.{desc,pm}:
+ [NT] Apply patch from Christopher Hoskin to except -doc packages
from the "new-package-should-not-package-python2-module" tag.
(Closes: #855243)
+ [NT] Remove references to tags about calling suidregister,
dpkg --assert-working-epoch, and dpkg --assert-multi-conrep from
maintainer scripts.
* checks/systemd.{desc,pm}:
+ [NT] Apply patch from Michael Biebl to warn about deprecated
"BindTo" option in systemd service files. (Closes: #857194)
* checks/testsuite.{desc,pm}:
+ [NT] Apply patch from Lucas Kanashiro to add a tag for recommending
packagers to create an autopkgtest for their package.
(Closes: #859467)
+ [NT] Fix false-positive "missing-runtime-test-file" when the
"Tests-Directory" field is set to a single dot. Thanks to
Ian Jackson for reporting the issue. (Closes: #849880)
* checks/triggers.{desc,pm}:
+ [NT] New check. (Closes: #698723)
* checks/upstream-metadata.pm:
+ [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
parser executes code. (Closes: #861958, CVE-2017-8829)
* checks/watch-file.pm:
+ [NT] Apply patch from Alexander Kulak to handle whitespace correctly
in the options in v4 watch files. (Closes: #861599)
.
* coll/debian-readme{,desc}:
+ [NT] Remove. Merge what little functionality it offers into the
debian-readme check.
.
* commands/{lintian => lintian.pm}:
+ [NT] Turn the lintian frontend into a dplint command module to avoid
code duplication.
* commands/reporting-*:
+ [NT] Rewrite the config file handling. The reporting framework now
uses a YAML configuration file instead of a perl script.
+ [NT] Support processing packages from multiple archives and different
suites in these archives. This enables lintian.d.o to also process
dbgsym packages. (Closes: #856312)
.
* data/changes-file/known-dists:
+ [NT] Add buster and remove squeeze.
* data/common/source-fields:
+ [NT] Add new "Testsuite-Restrictions" field.
* data/files/privacy-breaker-websites:
+ [BR] Add digit.com as tracker.
+ [BR] Add static.ak.fbcdn.net as facebook.
+ [BR] Add forkme as logo.
* data/files/standard-files:
+ [NT] Add more common files based on feedback from Helmut Grohne.
* data/obsolete-sites/obsolete-sites:
+ [BR] Apply patch from Hideki Yamane in order to warn about
fedorahosted. (Closes: #856954).
+ [NT] Apply patch from Hideki Yamane to warn about codeplex.com
closing down. (Closes: #859412).
* data/scripts/interpreters:
+ [NT] Add stap as a known interpreter. Thanks to gustavo panizzo
for the suggestion. (Closes: #858326)
* data/scripts/maintainer-script-bad-command:
+ [NT] Remove check for suidregister, dpkg --assert-working-epoch, and
dpkg --assert-multi-conrep. None of these trigger any tags in the
archive any longer and the (new) features have been available for
8+ years.
* data/spelling/corrections:
+ [NT] Apply patches from Edward Betts to fix bugs in the correction
word lists. (Closes: #852005, #852084)
+ [NT] Apply patch from Edward Betts to remove corrections for
"targetted" and "targetting" as they are valid alternative
spellings in AU. (Closes: #852145)
+ [EB] Add some more spelling corrections. (Closes: #852369, #852404,
#852407, #852409, #852410, #852411, #852413, #852414, #852416,
#852419, #852421, #852426)
+ [CL] Add "none were" -> "none was" multiword spelling correction.
(Closes: 860558)
* data/standards-version/release-dates:
+ [NT] Add 4.0.0 as a known standards version along with its release
date.
.
* debian/control:
+ [NT] Add explicit (Build-)Depends on dpkg (>= 1.17.14) to make it
explicit that we no longer support Wheezy or older.
+ [NT] Drop versioned dependencies that are there to assist to
Wheezy.
+ [NT] Mention Debian Policy v4.0.0 in the description.
+ [NT] Bump Standards-Version to 4.0.0 - no changes required.
* debian/copyright:
+ [EB] Add Edward Betts.
.
* frontend/dplint:
+ [NT] Ensure all include directories are absolute before passing
them on to the actual command.
+ [NT] Work around a "Bizarre Copy" bug in perl that could trigger
on errors.
.
* lib/Lintian/CheckScript.pm:
+ [NT] Remove fallback code for "old" style "pm"-less checks.
* lib/Lintian/Util.pm:
+ [NT] Drop dpkg_deb_has_ctrl_tarfile. Lintian now assumes that
dpkg 1.17.14 is available (provided by Debian jessie or later).
.
* reporting/{config => config.yaml}:
+ [NT] Rewrite the reporting config template into the new YAML format.
* reporting/graphs/tags.gpi:
+ [NT] Tweak tags.gpi so it works with gnuplot 5.
* reporting/templates/{index.tmpl,lintian.css.tmpl}:
+ [NT] Update to support multiple archives.
.
* t/*:
+ [NT] Drop "Test-Depends" from tests where the versions in Debian
jessie will satisfy the dependency.
+ [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring
debian/files by default. (Closes: #863020)
* t/runtests:
+ [NT] Re-sort test output after running the "post_test" sed script
on the output. This prevent test failures caused by the order
changing on different architectures prior to the sed script is run
(assuming the sed script otherwise normalises the differences
correctly).
* t/tests/cruft-general-upstream/pre_upstream:
+ [EB] Fix failing tests by making the fake flash object more
convincing. The most recent version of libmagic uses a more precise
definition of the data within a flash file. (Closes: #852891)
* t/tests/java-jars:
+ [NT] Provide a more convincing corrupt .zip file that also fools
file 5.30.
.
* vendors/ubuntu/main/data/changes-file/known-dists:
+ [CW] Add zesty.
+ [NT] Apply patch from "Unit 193" to add "devel" as a known Ubuntu
distribution. (Closes: #861509)
+ [NT] Add artful.
Checksums-Sha1:
9958814b241b14a8c8bfde5a8648e55e61ffc87a 2798 lintian_2.5.51.dsc
1124965ea2017a7527fbe20c9c40f4162a835347 1223124 lintian_2.5.51.tar.xz
5c2c6f419d1bb54e3ee3a69f22b0623bafa917d1 17473 lintian_2.5.51_source.buildinfo
Checksums-Sha256:
f03ef8831439f33a38e8bb495653075e996485f4f66a1fcf25e00ff06dfdd783 2798 lintian_2.5.51.dsc
608747cf4c7277673b02e1ea0964234f3e46e80bcc43fa7d39427fd49946dd77 1223124 lintian_2.5.51.tar.xz
9db4c5037eae541fbf23e95333292c698643a7895b0e1d8bf2cadcaff3db7281 17473 lintian_2.5.51_source.buildinfo
Files:
2516131ac63f745a7e2ce279419f6dc0 2798 devel optional lintian_2.5.51.dsc
de06a374f50bcd6441e7995b1bcc7f21 1223124 devel optional lintian_2.5.51.tar.xz
379b2de6ac61b0b09312264efcfd0964 17473 devel optional lintian_2.5.51_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEsxMaRR2/33ygW0GXBUu7n32AZEIFAllGOxcACgkQBUu7n32A
ZEIwUxAAoGn6TvnVNYgzUQ589TpO9aCDVDJ3AHcbsua/l/fH8b0KBvwa/VV6j6Ua
YTSxHVsEfTskG4hbQmUsny0hRXU2jDAWi3PCRE8UHRuVYqGeXGmLF85+bGetpO8d
Z6IgU2i8QnN+JwL1W/sUdLjnguw726A3KhufquK+p9p18/em17CaRSlv0ZM68Km2
izZqkDJZ0n668NXmfxbqiQJSqaV39AnS2cXmLLPhDE9KSlMx5axJln3oADXSaGdS
G6arHbYlNzCKFVnM7C/WbE8i6ql+45Aqta4byeOr/aUZoQcGwgnHn2SfTrCpRhEL
S9wMmFDsgpcDn4Rpq9OrzUk+O+MV91azffAEf0rWFrUzUUKGkt7VLWos+Xhxu3rK
pnF2rU4mWpCPVJOwvXysKsW51qQvU+XimBLAKAesZne9SsYeVjyEg3t2FP6iiqVX
glvToxyNYJZZtdeWsE6wocNfn3nP/1nfL6RlKUsnLb9qfYXONJwP4PusdSebfwfb
+MQbkEiqyZI6CT62nJ2rYIF+K4HuGMfv/lyVzfy7pQ1CEufpGDJj4h8ECjEoG2sW
H7Uy4625iZeW6hvdCBtwKVsaZZaEqOHF277wJvGjis2D1h6ej6Lo6zbRG8kc0T50
xHUHuNs4XfnLjQy8858h+KIjpWek5s3Nfx3ahZWqlyQYvB2WJN4=
=ty20
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 17 Jul 2017 07:31:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:45:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.