lintian: insecure YAML validation [CVE-2017-8829]

Related Vulnerabilities: CVE-2017-8829  

Debian Bug report logs - #861958
lintian: insecure YAML validation [CVE-2017-8829]

version graph

Reported by: Jakub Wilk <jwilk@jwilk.net>

Date: Sat, 6 May 2017 13:33:01 UTC

Severity: grave

Tags: confirmed, security

Found in version lintian/2.5.41

Fixed in versions lintian/2.5.50.4, lintian/2.5.51

Done: Niels Thykier <niels@thykier.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@jwilk.net, team@security.debian.org, check-all-the-things@packages.debian.org, dod@debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#861958; Package lintian. (Sat, 06 May 2017 13:33:04 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lintian: insecure YAML validation
Date: Sat, 6 May 2017 13:01:50 +0200
[Message part 1 (text/plain, inline)]
Package: lintian
Version: 2.5.41
Tags: security

Lintian uses the YAML::XS module to validate YAML in debian/upstream/metadata.
This module is happy to deserialize objects of any existing Perl class. For 
Lintian, the File::Temp::Dir class can be abused to remove arbitrary directory 
trees. (There might be other exciting ways to exploit this bug, but I'm too 
lazy to investigate further.)

I've attached proof-of-concept exploit:

$ mkdir /tmp/moo
$ ls -d /tmp/moo
/tmp/moo
$ lintian -C upstream-metadata badyaml_1.dsc
$ ls -d /tmp/moo
/bin/ls: cannot access '/tmp/moo': No such file or directory

-- 
Jakub Wilk
[badyaml_1.tar.xz (application/x-xz, attachment)]
[badyaml_1.dsc (text/plain, attachment)]

Severity set to 'grave' from 'normal' Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Sat, 06 May 2017 14:00:03 GMT) (full text, mbox, link).


Added tag(s) confirmed. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Sat, 06 May 2017 17:27:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#861958; Package lintian. (Sat, 06 May 2017 17:33:04 GMT) (full text, mbox, link).


Acknowledgement sent to Dominique Dumont <dod@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Sat, 06 May 2017 17:33:04 GMT) (full text, mbox, link).


Message #12 received at 861958@bugs.debian.org (full text, mbox, reply):

From: Dominique Dumont <dod@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 861958@bugs.debian.org
Subject: Re: Bug#861958: lintian: insecure YAML validation
Date: Sat, 06 May 2017 19:29:46 +0200
On samedi 6 mai 2017 13:01:50 CEST you wrote:
> Lintian uses the YAML::XS module to validate YAML in
> debian/upstream/metadata.

Unless debian/upstream/metadata needs fancy YAML format (e.g. anchor alias 
tags ...), the easiest way out it to use YAML::Tiny instead of YAML::XS. This 
should be a drop-in replacement.

> This module is happy to deserialize objects of any existing Perl class. For
> Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> directory trees. (There might be other exciting ways to exploit this bug,
> but I'm too lazy to investigate further.)

I wonder if this behavior should be considered as a YAML bug...

All the best
-- 
https://github.com/dod38fr/config-model/ -o- http://search.cpan.org/~ddumont/
    http://ddumont.wordpress.com/        -o-   irc: dod at irc.debian.org




Changed Bug title to 'lintian: insecure YAML validation [CVE-2017-8829]' from 'lintian: insecure YAML validation'. Request was from Niels Thykier <niels@thykier.net> to control@bugs.debian.org. (Mon, 08 May 2017 06:03:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#861958; Package lintian. (Wed, 10 May 2017 17:03:03 GMT) (full text, mbox, link).


Acknowledgement sent to dod@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 10 May 2017 17:03:03 GMT) (full text, mbox, link).


Message #19 received at 861958@bugs.debian.org (full text, mbox, reply):

From: Dominique Dumont <dod@debian.org>
To: 861958@bugs.debian.org
Subject: Re: lintian: insecure YAML validation [CVE-2017-8829]
Date: Wed, 10 May 2017 19:00:53 +0200
Ive logged a bug to upstream YAML parser library:

https://github.com/ingydotnet/yaml-pm/issues/176

HTH




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#861958; Package lintian. (Wed, 10 May 2017 18:45:03 GMT) (full text, mbox, link).


Acknowledgement sent to Niels Thykier <niels@thykier.net>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Wed, 10 May 2017 18:45:03 GMT) (full text, mbox, link).


Message #24 received at 861958@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>
To: dod@debian.org, 861958@bugs.debian.org
Subject: Re: Bug#861958: lintian: insecure YAML validation [CVE-2017-8829]
Date: Wed, 10 May 2017 18:41:00 +0000
Dominique Dumont:
> Ive logged a bug to upstream YAML parser library:
> 
> https://github.com/ingydotnet/yaml-pm/issues/176
> 
> HTH
> 

Thanks. :)

~Niels





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#861958; Package lintian. (Thu, 11 May 2017 21:54:02 GMT) (full text, mbox, link).


Acknowledgement sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Thu, 11 May 2017 21:54:02 GMT) (full text, mbox, link).


Message #29 received at 861958@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
To: Dominique Dumont <dod@debian.org>
Cc: 861958@bugs.debian.org
Subject: Re: Bug#861958: lintian: insecure YAML validation
Date: Thu, 11 May 2017 23:51:25 +0200
[Message part 1 (text/plain, inline)]
clone 861958 -1
reassign -1 libyaml-libyaml-perl
retitle -1 libyaml-libyaml-perl: Unconditionally instantiates objects from yaml data
thanks

Dominique Dumont wrote...

> On samedi 6 mai 2017 13:01:50 CEST you wrote:

> > This module is happy to deserialize objects of any existing Perl class. For
> > Lintian, the File::Temp::Dir class can be abused to remove arbitrary
> > directory trees. (There might be other exciting ways to exploit this bug,
> > but I'm too lazy to investigate further.)
> 
> I wonder if this behavior should be considered as a YAML bug...

At least I consider the unconditional instantiation of object a bug,
hence cloning.

As previously mentioned in debian-perl@, there is no easy solution,
assuming some code out there intentionally uses that feature, and in
a safe matter. If we choose to ignore that, at least for the time being,
we can disable the blessing entirely by dropping the three sv_bless
invocations in <LibYAML/perl_libyaml.c>. This makes the attached
reproducer pass.

Before releasing that change however, there should be an audit of all
the roughly 40 packages in Debian that use YAML::XS to avoid unintended
breakage. In the worst case, that simple approach isn't feasible and
the instantiation needs to be made configurable - something that
requires coordination with upstream[1] and/or other distributions.

We should discuss this during the sprint.

    Christoph

[1] But see https://github.com/perl11/cperl/issues/198
[reprod (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug 861958 cloned as bug 862373 Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Thu, 11 May 2017 21:54:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Lintian Maintainers <lintian-maint@debian.org>:
Bug#861958; Package lintian. (Sat, 13 May 2017 09:51:08 GMT) (full text, mbox, link).


Acknowledgement sent to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Debian Lintian Maintainers <lintian-maint@debian.org>. (Sat, 13 May 2017 09:51:08 GMT) (full text, mbox, link).


Message #36 received at 861958@bugs.debian.org (full text, mbox, reply):

From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
To: 861958@bugs.debian.org
Subject: Re: Bug#861958: lintian: insecure YAML validation
Date: Sat, 13 May 2017 11:49:04 +0200
[Message part 1 (text/plain, inline)]
clone 861958 -1
reassign -1 libyaml-syck-perl
retitle -1 libyaml-syck-perl: Unconditionally instantiates objects from yaml data
thanks

This problem exists in libyaml-syck-perl as well. However, disabling
this feature will be easier since there's already a switch ("LoadBlessed").

    Christoph
[reprod (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Bug 861958 cloned as bug 862475 Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de> to control@bugs.debian.org. (Sat, 13 May 2017 09:51:09 GMT) (full text, mbox, link).


Reply sent to Niels Thykier <niels@thykier.net>:
You have taken responsibility. (Sat, 03 Jun 2017 17:06:05 GMT) (full text, mbox, link).


Notification sent to Jakub Wilk <jwilk@jwilk.net>:
Bug acknowledged by developer. (Sat, 03 Jun 2017 17:06:05 GMT) (full text, mbox, link).


Message #43 received at 861958-close@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>
To: 861958-close@bugs.debian.org
Subject: Bug#861958: fixed in lintian 2.5.50.4
Date: Sat, 03 Jun 2017 17:04:11 +0000
Source: lintian
Source-Version: 2.5.50.4

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 03 Jun 2017 16:48:24 +0000
Source: lintian
Binary: lintian
Architecture: source
Version: 2.5.50.4
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
 lintian    - Debian package checker
Closes: 861958 863020
Changes:
 lintian (2.5.50.4) unstable; urgency=medium
 .
   * checks/upstream-metadata.pm:
     + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
       parser executes code.  (Closes: #861958, CVE-2017-8829)
 .
   * t/*:
     + [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring
       debian/files by default.  This includes renaming a folder in the
       the t/tests/legacy-filenames test.  (Closes: #863020)
Checksums-Sha1:
 7c95f75eae2606edcc148900fa6d2bb4d81ac855 2821 lintian_2.5.50.4.dsc
 99dc935a10bff7ecd1207653486622e4b5e41b81 1233912 lintian_2.5.50.4.tar.xz
 b2d03fa69a97248c122b53ebfd5d05eae887df13 17485 lintian_2.5.50.4_source.buildinfo
Checksums-Sha256:
 cafb8a57727b33955f60d92818afba807fe83bd5244f7db10acdf3135182136f 2821 lintian_2.5.50.4.dsc
 03c10567e3227088323575a4fcb8c271029edc3352d5fa61474f1716b69da1bb 1233912 lintian_2.5.50.4.tar.xz
 c073b8ce11923eb59c570fcf82675235f06f89704eceb0b1d7034298e809ac41 17485 lintian_2.5.50.4_source.buildinfo
Files:
 3d151786f8d7f24b441ee167dd3b9ecf 2821 devel optional lintian_2.5.50.4.dsc
 76932cf1bb079f6461af002e6e27f234 1233912 devel optional lintian_2.5.50.4.tar.xz
 f57f24dcbe539a010ff3a127e69bec24 17485 devel optional lintian_2.5.50.4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsxMaRR2/33ygW0GXBUu7n32AZEIFAlky6YcACgkQBUu7n32A
ZEJ2iQ//aNy18Zf9RAcoT7g8VFkzwcCu83JPxwPtnii7FaE2Z80U2kEyINGDjd8s
3Fp4KLga3Zeq98TZ69BSXSSlCx2N2g3g5PndrQq4rgX4k8mih4G8SSIz7Ng5cRRi
qFwfRdaYZWIS1lluLYHzgsnczjbS/o7c8J38xyI0Z4K/BaLx2CTA/KvQxXFjFBvu
5R0C6+xfxyBaZsGgtBe8EM8QGvIJpp1QbL5ePHBf20l697cccHHXlDvM1ySlY/mn
VNL607TzzWTZMyPgnox2mx1Tv278QQUS9QVSdmz7Y4ZZn+BcRpDLjblQONCqiZAA
A1BgaI0uD7sua+u9iW1DLvclDZSyfaoDoI9pyPLcw3DrfZMjgn+2LxPNSfNrtKjz
9mBf+iUfTem8oEJ0jnoOEC1r8Eezd5IN1bkd5EwPdwqQXhEOR3/u2l79rMSAAAub
0wGInutMYkNj4sZuQs9ovGbkh9Bb9KjYvp9y3asfP2mOA7Pk6xLOOwBY4AJ9SZF2
GWrC0tV9w+EXSaWZvYa2K7L5cQFvRxWXlEECTxDUb5WdYbqsmE82vVaIHxHkWAvR
NQRE4Q/g1WDC/MoOT+o+p9n+8bSYxAo5Xt58P2/VViaMO7usqioxowMwjOYBPsdB
Oi7WSNha1OITAg0Uw4hE+G6DplV02GqlzN9o5158JTNCJf28EwM=
=HdsF
-----END PGP SIGNATURE-----




Reply sent to Niels Thykier <niels@thykier.net>:
You have taken responsibility. (Sun, 18 Jun 2017 09:23:13 GMT) (full text, mbox, link).


Notification sent to Jakub Wilk <jwilk@jwilk.net>:
Bug acknowledged by developer. (Sun, 18 Jun 2017 09:23:13 GMT) (full text, mbox, link).


Message #48 received at 861958-close@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>
To: 861958-close@bugs.debian.org
Subject: Bug#861958: fixed in lintian 2.5.51
Date: Sun, 18 Jun 2017 09:18:53 +0000
Source: lintian
Source-Version: 2.5.51

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Jun 2017 07:57:57 +0000
Source: lintian
Binary: lintian
Architecture: source
Version: 2.5.51
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
 lintian    - Debian package checker
Closes: 540294 633850 645455 695345 698723 814521 815233 829649 848878 849470 849880 851215 852005 852084 852145 852369 852404 852407 852409 852410 852411 852413 852414 852416 852419 852421 852426 852891 854132 855243 856155 856312 856857 856954 856975 857194 857654 857655 857656 858117 858326 859412 859467 860419 860558 861509 861599 861958 863020 863386
Changes:
 lintian (2.5.51) unstable; urgency=medium
 .
   * Summary of tag changes:
     + Added:
       - debian-control-has-dbgsym-package
       - debian-control-has-obsolete-dbg-package
       - debian-rules-parses-dpkg-parsechangelog
       - desktop-entry-lacks-icon-entry
       - distribution-and-changes-mismatch
       - distribution-and-experimental-mismatch
       - gir-in-arch-all-package
       - gir-missing-typelib-dependency
       - gir-section-not-libdevel
       - multiarch-foreign-shared-library
       - r-data-without-readme-source
       - readme-source-is-dh_make-template
       - repeated-trigger-name
       - systemd-service-file-refers-to-obsolete-bindto
       - testsuite-autopkgtest-missing
       - typelib-in-arch-all-package
       - typelib-missing-gir-depends
       - typelib-not-in-multiarch-directory
       - typelib-package-name-does-not-match
       - typelib-section-not-introspection
       - unknown-trigger
       - unreleased-changes
       - uses-implicit-await-trigger
     + Removed:
       - ancient-autotools-helper-file
       - init.d-script-missing-dependency-on-remote_fs
       - maintainer-script-should-not-use-ancient-dpkg-epoch-check
       - maintainer-script-should-not-use-ancient-dpkg-multi-conrep-check
       - outdated-autotools-helper-file
       - package-would-benefit-from-build-arch-targets
       - suidregister-used-in-maintainer-script
 .
   * checks/binaries.{desc,pm}:
     + [NT] Apply patch from Adrian Bunk to bump severity of the
       hardening-no-pie to a W-tag and improve the tag description.
       (Closes: #856155)
     + [NT] Apply patches from Michael Stapelberg to improve handling
       of golang binaries.  (Closes: #857654, #857655, #857656)
   * checks/changelog-file.pm:
     + [BR] Check also bug over 1000000 as improbable. Bug below
       50004 are not archived and are thus improbable.
   * checks/changes-file.{desc,pm}:
     + [BR] Apply patch by Simon McVittie to detect unreleased package
       uploaded to unstable and  mismatched .changes and
       Changes: distribution.  (Closes: #540294).
   * checks/control.{desc,pm}:
     + [BR] Detect dbgsym package in control file.  (Closes: #858117).
     + [BR] Warn about obsolete -dbg package.
   * checks/cruft.{desc,pm}:
     + [BR] Document long line tagged source-is-missing as a feature
       not a bug.  (Closes: #849470).
     + [BR] Correct a typo in description of tag
       license-problem-convert-utf-code.
     + [BR] Avoid a false positive in gfdl file detection.
     + [NT] Drop tags about outdated autotools config.guess and
       config.sub files.  These days debhelper automatically updates
       them when people use the dh-sequencer and the check is not
       geared for more thorough analysis.  (Closes: #848878)
     + [CL] Check that README.source is not the dh_make template.
       (Closes: #633850)
   * checks/debian-readme.{desc,pm}:
     + [NT] Locate the README.Debian using the index rather than relying
       on a collection.
   * checks/fields.pm:
     + [BR] Enforce naming convention for debug package.  (Closes: #645455).
     + [NT] Avoid proposing "/git/git/" as a part of the canonical URL for
       anonscm.debian.org.  Thanks to Andreas Beckmann for spotting the
       bug.  (Closes: #851215)
     + [NT] Apply patch from Dylan Aïssi to recommend "javascript" section
       for libjs packages.  Previously, lintian would recommend "web".
       (Closes: #863386)
   * checks/files.pm:
     + [BR] Do not report duplicates for package-installs-apt-preferences
       and package-installs-apt-sources.  (Closes: #814521).
     + [NT] Apply patch from Helmut Grohne to detect some possible invalid
       uses of "Multi-Arch: foreign".  (Closes: #856975)
     + [NT] Improve the empty-binary-package tag by adding more common
       files that should be ignored.  Thanks to Helmut Grohne for all the
       research behind it.  (Closes: #856857)
     + [BR] Detect symlink pointing to builddir.  (Closes: #860419)
     + [CL] Detect RData without README.source.  (Closes: #815233)
     + [NT] Remove work around for segmentation faults in t1disasm from
       t1utils (<< 1.38-4~).  Given Jessie is the minimum supported Debian
       version, we can now assume t1utils to be (>= 1.38-4).
   * checks/gir.{desc,pm}:
     + [NT] Add check for gir packages written by Simon McVittie.
       (Closes: #695345)
   * checks/init.d.{desc,pm}:
     + [NT] Remove check for init.d scripts accessing /usr without a
       $remote_fs dependency as /usr must now be mounted by the initramfs.
       (Closes: #829649)
   * checks/menu-format.{desc,pm}:
     + [NT] Update the reference to Desktop Entry Specification to point
       to version 1.1.
     + [NT] Apply patch from Laurent Bigonville to check desktop files
       for missing "Icon" field.  (Closes: #854132)
   * checks/rules.{desc,pm}:
     + [NT] Drop "package-would-benefit-from-build-arch-targets".  The
       dpkg-buildpackage refuses to build packages that trigger this tag.
       Also, the tag implies two other "W" tags so contributors are still
       notified of a potential problem.
     + [CL] Check for manual parsing of dpkg-parsechangelog output now that
       we have /usr/share/dpkg/pkg-info.mk.
   * checks/scripts.{desc,pm}:
     + [NT] Apply patch from Christopher Hoskin to except -doc packages
       from the "new-package-should-not-package-python2-module" tag.
       (Closes: #855243)
     + [NT] Remove references to tags about calling suidregister,
       dpkg --assert-working-epoch, and dpkg --assert-multi-conrep from
       maintainer scripts.
   * checks/systemd.{desc,pm}:
     + [NT] Apply patch from Michael Biebl to warn about deprecated
       "BindTo" option in systemd service files.  (Closes: #857194)
   * checks/testsuite.{desc,pm}:
     + [NT] Apply patch from Lucas Kanashiro to add a tag for recommending
       packagers to create an autopkgtest for their package.
       (Closes: #859467)
     + [NT] Fix false-positive "missing-runtime-test-file" when the
       "Tests-Directory" field is set to a single dot.  Thanks to
       Ian Jackson for reporting the issue.  (Closes: #849880)
   * checks/triggers.{desc,pm}:
     + [NT] New check.  (Closes: #698723)
   * checks/upstream-metadata.pm:
     + [JW, NT] Disable YAML parsing of upstream metadata file as the YAML
       parser executes code.  (Closes: #861958, CVE-2017-8829)
   * checks/watch-file.pm:
     + [NT] Apply patch from Alexander Kulak to handle whitespace correctly
       in the options in v4 watch files.  (Closes: #861599)
 .
   * coll/debian-readme{,desc}:
     + [NT] Remove.  Merge what little functionality it offers into the
       debian-readme check.
 .
   * commands/{lintian => lintian.pm}:
     + [NT] Turn the lintian frontend into a dplint command module to avoid
       code duplication.
   * commands/reporting-*:
     + [NT] Rewrite the config file handling.  The reporting framework now
       uses a YAML configuration file instead of a perl script.
     + [NT] Support processing packages from multiple archives and different
       suites in these archives.  This enables lintian.d.o to also process
       dbgsym packages.  (Closes: #856312)
 .
   * data/changes-file/known-dists:
     + [NT] Add buster and remove squeeze.
   * data/common/source-fields:
     + [NT] Add new "Testsuite-Restrictions" field.
   * data/files/privacy-breaker-websites:
     + [BR] Add digit.com as tracker.
     + [BR] Add static.ak.fbcdn.net as facebook.
     + [BR] Add forkme as logo.
   * data/files/standard-files:
     + [NT] Add more common files based on feedback from Helmut Grohne.
   * data/obsolete-sites/obsolete-sites:
     + [BR] Apply patch from Hideki Yamane in order to warn about
       fedorahosted.  (Closes: #856954).
     + [NT] Apply patch from Hideki Yamane to warn about codeplex.com
       closing down.  (Closes: #859412).
   * data/scripts/interpreters:
     + [NT] Add stap as a known interpreter.  Thanks to gustavo panizzo
       for the suggestion.  (Closes: #858326)
   * data/scripts/maintainer-script-bad-command:
     + [NT] Remove check for suidregister, dpkg --assert-working-epoch, and
       dpkg --assert-multi-conrep.  None of these trigger any tags in the
       archive any longer and the (new) features have been available for
       8+ years.
   * data/spelling/corrections:
     + [NT] Apply patches from Edward Betts to fix bugs in the correction
       word lists.  (Closes: #852005, #852084)
     + [NT] Apply patch from Edward Betts to remove corrections for
       "targetted" and "targetting" as they are valid alternative
       spellings in AU.  (Closes: #852145)
     + [EB] Add some more spelling corrections.  (Closes: #852369, #852404,
       #852407, #852409, #852410, #852411, #852413, #852414, #852416,
       #852419, #852421, #852426)
     + [CL] Add "none were" -> "none was" multiword spelling correction.
       (Closes: 860558)
   * data/standards-version/release-dates:
     + [NT] Add 4.0.0 as a known standards version along with its release
       date.
 .
   * debian/control:
     + [NT] Add explicit (Build-)Depends on dpkg (>= 1.17.14) to make it
       explicit that we no longer support Wheezy or older.
     + [NT] Drop versioned dependencies that are there to assist to
       Wheezy.
     + [NT] Mention Debian Policy v4.0.0 in the description.
     + [NT] Bump Standards-Version to 4.0.0 - no changes required.
   * debian/copyright:
     + [EB] Add Edward Betts.
 .
   * frontend/dplint:
     + [NT] Ensure all include directories are absolute before passing
       them on to the actual command.
     + [NT] Work around a "Bizarre Copy" bug in perl that could trigger
       on errors.
 .
   * lib/Lintian/CheckScript.pm:
     + [NT] Remove fallback code for "old" style "pm"-less checks.
   * lib/Lintian/Util.pm:
     + [NT] Drop dpkg_deb_has_ctrl_tarfile.  Lintian now assumes that
       dpkg 1.17.14 is available (provided by Debian jessie or later).
 .
   * reporting/{config => config.yaml}:
     + [NT] Rewrite the reporting config template into the new YAML format.
   * reporting/graphs/tags.gpi:
     + [NT] Tweak tags.gpi so it works with gnuplot 5.
   * reporting/templates/{index.tmpl,lintian.css.tmpl}:
     + [NT] Update to support multiple archives.
 .
   * t/*:
     + [NT] Drop "Test-Depends" from tests where the versions in Debian
       jessie will satisfy the dependency.
     + [NT] Update tests to fix FTBFS caused by dpkg-source now ignoring
       debian/files by default.  (Closes: #863020)
   * t/runtests:
     + [NT] Re-sort test output after running the "post_test" sed script
       on the output.  This prevent test failures caused by the order
       changing on different architectures prior to the sed script is run
       (assuming the sed script otherwise normalises the differences
       correctly).
   * t/tests/cruft-general-upstream/pre_upstream:
     + [EB] Fix failing tests by making the fake flash object more
       convincing.  The most recent version of libmagic uses a more precise
       definition of the data within a flash file.  (Closes: #852891)
   * t/tests/java-jars:
     + [NT] Provide a more convincing corrupt .zip file that also fools
       file 5.30.
 .
   * vendors/ubuntu/main/data/changes-file/known-dists:
     + [CW] Add zesty.
     + [NT] Apply patch from "Unit 193" to add "devel" as a known Ubuntu
       distribution.  (Closes: #861509)
     + [NT] Add artful.
Checksums-Sha1:
 9958814b241b14a8c8bfde5a8648e55e61ffc87a 2798 lintian_2.5.51.dsc
 1124965ea2017a7527fbe20c9c40f4162a835347 1223124 lintian_2.5.51.tar.xz
 5c2c6f419d1bb54e3ee3a69f22b0623bafa917d1 17473 lintian_2.5.51_source.buildinfo
Checksums-Sha256:
 f03ef8831439f33a38e8bb495653075e996485f4f66a1fcf25e00ff06dfdd783 2798 lintian_2.5.51.dsc
 608747cf4c7277673b02e1ea0964234f3e46e80bcc43fa7d39427fd49946dd77 1223124 lintian_2.5.51.tar.xz
 9db4c5037eae541fbf23e95333292c698643a7895b0e1d8bf2cadcaff3db7281 17473 lintian_2.5.51_source.buildinfo
Files:
 2516131ac63f745a7e2ce279419f6dc0 2798 devel optional lintian_2.5.51.dsc
 de06a374f50bcd6441e7995b1bcc7f21 1223124 devel optional lintian_2.5.51.tar.xz
 379b2de6ac61b0b09312264efcfd0964 17473 devel optional lintian_2.5.51_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsxMaRR2/33ygW0GXBUu7n32AZEIFAllGOxcACgkQBUu7n32A
ZEIwUxAAoGn6TvnVNYgzUQ589TpO9aCDVDJ3AHcbsua/l/fH8b0KBvwa/VV6j6Ua
YTSxHVsEfTskG4hbQmUsny0hRXU2jDAWi3PCRE8UHRuVYqGeXGmLF85+bGetpO8d
Z6IgU2i8QnN+JwL1W/sUdLjnguw726A3KhufquK+p9p18/em17CaRSlv0ZM68Km2
izZqkDJZ0n668NXmfxbqiQJSqaV39AnS2cXmLLPhDE9KSlMx5axJln3oADXSaGdS
G6arHbYlNzCKFVnM7C/WbE8i6ql+45Aqta4byeOr/aUZoQcGwgnHn2SfTrCpRhEL
S9wMmFDsgpcDn4Rpq9OrzUk+O+MV91azffAEf0rWFrUzUUKGkt7VLWos+Xhxu3rK
pnF2rU4mWpCPVJOwvXysKsW51qQvU+XimBLAKAesZne9SsYeVjyEg3t2FP6iiqVX
glvToxyNYJZZtdeWsE6wocNfn3nP/1nfL6RlKUsnLb9qfYXONJwP4PusdSebfwfb
+MQbkEiqyZI6CT62nJ2rYIF+K4HuGMfv/lyVzfy7pQ1CEufpGDJj4h8ECjEoG2sW
H7Uy4625iZeW6hvdCBtwKVsaZZaEqOHF277wJvGjis2D1h6ej6Lo6zbRG8kc0T50
xHUHuNs4XfnLjQy8858h+KIjpWek5s3Nfx3ahZWqlyQYvB2WJN4=
=ty20
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 17 Jul 2017 07:31:50 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:45:35 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.