Bug#834064: debcheckout: should rewrite insecure alioth URIs
Sean Whitton
spwhitton at spwhitton.name
Thu Aug 11 18:22:53 UTC 2016
Package: devscripts
Version: 2.16.6
Severity: normal
File: /usr/bin/debcheckout
Tags: patch
Dear maintainers,
debcheckout should rewrite insecure alioth URIs to secure ones. This
protects users from (e.g.) maliciously-inserted debian/rules scripts.
It's especially important in unauthenticated mode.
The attached patch (suitable for git-am(1)) implements this.
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
DEBCHANGE_FORCE_SAVE_ON_RELEASE=no
DEBRELEASE_UPLOADER=dput
DEBSIGN_KEYID=0x0F56D0553B6D411B
DEB_SIGN_KEYID=0x0F56D0553B6D411B
DEBSIGN_PROGRAM=gpg
RMADISON_DEFAULT_URL=debian,ubuntu
DSCVERIFY_KEYRINGS=~/.gnupg/pubring.kbx
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc"
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: i386 (i686)
Kernel: Linux 4.5.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.10
ii libc6 2.23-4
ii perl 5.22.2-3
pn python3:any <none>
Versions of packages devscripts recommends:
ii apt 1.3~pre2
ii at 3.1.20-1
ii curl 7.47.0-1
ii dctrl-tools 2.24-2
ii debian-keyring 2016.07.02
ii dput 0.9.6.4
ii equivs 2.0.9+nmu1
ii fakeroot 1.21-1
ii file 1:5.28-4
ii gnupg 2.1.14-2
ii libdistro-info-perl 0.14
ii libencode-locale-perl 1.05-1
ii liblwp-protocol-https-perl 6.06-2
ii libsoap-lite-perl 1.20-1
ii liburi-perl 1.71-1
ii libwww-perl 6.15-1
ii licensecheck 3.0.13-1
ii lintian 2.5.45
ii man-db 2.7.5-1
ii patch 2.7.5-1
ii patchutils 0.3.4-1
ii python3-debian 0.1.28
ii python3-magic 1:5.28-4
ii sensible-utils 0.0.9
ii strace 4.12-3
ii unzip 6.0-20
ii wdiff 1.2.2-1+b1
ii wget 1.18-2
ii xz-utils 5.1.1alpha+20120614-2.1
Versions of packages devscripts suggests:
ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-3
ii build-essential 12.2
pn cvs-buildpackage <none>
pn devscripts-el <none>
pn diffoscope <none>
ii dose-extra 5.0-3
ii gnuplot 5.0.3+dfsg3-7
ii gpgv 2.1.14-3
ii libauthen-sasl-perl 2.1600-1
ii libfile-desktopentry-perl 0.22-1
ii libnet-smtp-ssl-perl 1.03-1
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
ii mozilla-devscripts 0.47
ii mutt 1.6.0-1
ii openssh-client [ssh-client] 1:7.2p2-8
ii svn-buildpackage 0.8.6
ii w3m 0.5.3-29
-- no debconf information
--
Sean Whitton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debcheckout-rewrite-insecure-alioth-URIs.patch
Type: text/x-diff
Size: 1764 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160811/ab2d9b4d/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160811/ab2d9b4d/attachment.sig>
More information about the devscripts-devel
mailing list