Bug#834064: debcheckout: should rewrite insecure alioth URIs

Sean Whitton spwhitton at spwhitton.name
Thu Aug 11 18:22:53 UTC 2016 

Package: devscripts
Version: 2.16.6
Severity: normal
File: /usr/bin/debcheckout
Tags: patch

Dear maintainers,

debcheckout should rewrite insecure alioth URIs to secure ones.  This
protects users from (e.g.) maliciously-inserted debian/rules scripts.
It's especially important in unauthenticated mode.

The attached patch (suitable for git-am(1)) implements this.

-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
DEBCHANGE_FORCE_SAVE_ON_RELEASE=no
DEBRELEASE_UPLOADER=dput
DEBSIGN_KEYID=0x0F56D0553B6D411B
DEB_SIGN_KEYID=0x0F56D0553B6D411B
DEBSIGN_PROGRAM=gpg
RMADISON_DEFAULT_URL=debian,ubuntu
DSCVERIFY_KEYRINGS=~/.gnupg/pubring.kbx
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc"

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: i386 (i686)

Kernel: Linux 4.5.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages devscripts depends on:
ii  dpkg-dev     1.18.10
ii  libc6        2.23-4
ii  perl         5.22.2-3
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  apt                         1.3~pre2
ii  at                          3.1.20-1
ii  curl                        7.47.0-1
ii  dctrl-tools                 2.24-2
ii  debian-keyring              2016.07.02
ii  dput                        0.9.6.4
ii  equivs                      2.0.9+nmu1
ii  fakeroot                    1.21-1
ii  file                        1:5.28-4
ii  gnupg                       2.1.14-2
ii  libdistro-info-perl         0.14
ii  libencode-locale-perl       1.05-1
ii  liblwp-protocol-https-perl  6.06-2
ii  libsoap-lite-perl           1.20-1
ii  liburi-perl                 1.71-1
ii  libwww-perl                 6.15-1
ii  licensecheck                3.0.13-1
ii  lintian                     2.5.45
ii  man-db                      2.7.5-1
ii  patch                       2.7.5-1
ii  patchutils                  0.3.4-1
ii  python3-debian              0.1.28
ii  python3-magic               1:5.28-4
ii  sensible-utils              0.0.9
ii  strace                      4.12-3
ii  unzip                       6.0-20
ii  wdiff                       1.2.2-1+b1
ii  wget                        1.18-2
ii  xz-utils                    5.1.1alpha+20120614-2.1

Versions of packages devscripts suggests:
ii  bsd-mailx [mailx]            8.1.2-0.20160123cvs-3
ii  build-essential              12.2
pn  cvs-buildpackage             <none>
pn  devscripts-el                <none>
pn  diffoscope                   <none>
ii  dose-extra                   5.0-3
ii  gnuplot                      5.0.3+dfsg3-7
ii  gpgv                         2.1.14-3
ii  libauthen-sasl-perl          2.1600-1
ii  libfile-desktopentry-perl    0.22-1
ii  libnet-smtp-ssl-perl         1.03-1
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-2
pn  libyaml-syck-perl            <none>
ii  mozilla-devscripts           0.47
ii  mutt                         1.6.0-1
ii  openssh-client [ssh-client]  1:7.2p2-8
ii  svn-buildpackage             0.8.6
ii  w3m                          0.5.3-29

-- no debconf information

-- 
Sean Whitton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debcheckout-rewrite-insecure-alioth-URIs.patch
Type: text/x-diff
Size: 1764 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160811/ab2d9b4d/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160811/ab2d9b4d/attachment.sig>

More information about the devscripts-devel mailing list