[Bash-completion-devel] Bug#824392: Missing validation of completion script in dh_bash-completion

Ben Hutchings ben at decadent.org.uk
Sun May 15 10:25:48 UTC 2016 

Package: bash-completion
Version: 1:2.1-4.3
Severity: normal
Tags: patch

The man page says:

       It can be a proper completion snippet, and in that case it would be
       installed in the completion directory, and no other actions would be
       performed.

Bug #824385 in initramfs-tools occurred because I failed to update the
list and dh_bash-completion then quietly fell back to treating it as a
completion snippet.

I believe a completion snippet must include a 'complete' command, so
please consider applying this patch to add minimal validation of the
possible snippet.

--- bash-completion-2.1/debian/extra/debhelper/dh_bash-completion
+++ bash-completion-2.1/debian/extra/debhelper/dh_bash-completion
@@ -55,7 +55,8 @@
 
 		# try parsing a list of files
 		@install = filedoublearray($completions);
-		foreach my $set (@install) {
+		for my $i (0..$#install) {
+			my $set = $install[$i];
 			my @filelist;
 			my @tmp = @$set;
 			if (@$set > 1) {
@@ -77,9 +78,19 @@
 				}
 
 				if (!@found || !-e $found[0]) {
-					warning "file-list parsing failed, installing as proper snippet";
-
-					doit("install", "-p", "-m644", $completions, "$bc_dir/$package");
+					# If we failed on the first line, and at
+					# least one of the lines begins with the
+					# word 'complete', assume it's a proper
+					# snippet rather than a list.  Otherwise
+					# the format is ambiguous, so fail.
+					if ($i == 0 &&
+					    grep({ $_->[0] eq 'complete' }
+						 @install)) {
+						warning "file-list parsing failed, installing as proper snippet";
+						doit("install", "-p", "-m644", $completions, "$bc_dir/$package");
+					} else {
+						error "file-list parsing failed";
+					}
 					next PKG
 				}
 				push @filelist, @found;
--- END ---

Ben.

-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bash-completion depends on:
ii  bash  4.3-14+b1
ii  dpkg  1.18.7

bash-completion recommends no packages.

bash-completion suggests no packages.

-- no debconf information

More information about the Bash-completion-devel mailing list