Hello community, here is the log from the commit of package rpmlint for openSUSE:Factory checked in at Mon May 16 11:33:47 CEST 2011. -------- --- rpmlint/rpmlint.changes 2011-05-05 09:16:21.000000000 +0200 +++ /mounts/work_src_done/STABLE/rpmlint/rpmlint.changes 2011-05-11 14:31:54.000000000 +0200 @@ -1,0 +2,12 @@ +Wed May 11 11:25:33 UTC 2011 - lnussel@suse.de + +- don't filter non-standard-gid anymore +- add dir-or-file-in-var-lock check +- remove 'nobody' from standard users + +------------------------------------------------------------------- +Tue May 10 11:38:05 UTC 2011 - lnussel@suse.de + +- add not-a-position-independent-executable check + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- pie.config rpmlint-pie.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rpmlint.spec ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -23,7 +23,7 @@ BuildRequires: rpm-python Summary: Rpm correctness checker Version: 1.1 -Release: 33 +Release: 35 Source0: %{name}-%{version}.tar.bz2 Source1: config Source1001: config.in @@ -49,6 +49,7 @@ Source21: BashismsCheck.py Source22: CheckGNOMEMacros.py Source23: CheckBuildDate.py +Source24: pie.config Source100: syntax-validator.py Url: http://rpmlint.zarb.org/ License: GPLv2+ @@ -124,6 +125,7 @@ # already upstream Patch87: rpmlint-add-details.diff Patch88: suse-speccheck-utf8.diff +Patch89: rpmlint-pie.diff %py_requires %description @@ -150,7 +152,7 @@ %patch8 %patch9 #%patch10 -%patch11 +%patch11 -p1 %patch12 %patch13 %patch14 @@ -203,6 +205,7 @@ %patch86 %patch87 -p1 %patch88 +%patch89 -p1 cp -p %{SOURCE1} . cp -p %{SOURCE2} . cp -p %{SOURCE3} . @@ -238,6 +241,7 @@ # make sure that the package is sane python -tt %{SOURCE100} $RPM_BUILD_ROOT/usr/share/rpmlint/*.py $RPM_BUILD_ROOT/usr/share/rpmlint/config %__install -m 644 %{SOURCE20} %{buildroot}/%{_sysconfdir}/rpmlint/ +%__install -m 644 %{SOURCE24} %{buildroot}/%{_sysconfdir}/rpmlint/ %clean rm -rf $RPM_BUILD_ROOT @@ -249,6 +253,7 @@ %{_prefix}/share/rpmlint %config(noreplace) /etc/rpmlint/config %config %{_sysconfdir}/rpmlint/rpmgroups.config +%config %{_sysconfdir}/rpmlint/pie.config %dir /etc/rpmlint /usr/share/man/man1/rpmlint.1.gz ++++++ BashismsCheck.py ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -28,9 +28,12 @@ status, output = Pkg.getstatusoutput(["dash", "-n", filename]) if status == 2: printWarning(pkg, "bin-sh-syntax-error", filename) - status, output = Pkg.getstatusoutput(["checkbashisms", filename]) - if status == 1: - printInfo(pkg, "potential-bashisms", filename) + try: + status, output = Pkg.getstatusoutput(["checkbashisms", filename]) + if status == 1: + printInfo(pkg, "potential-bashisms", filename) + except Exception, x: + printError(pkg, 'rpmlint-exception', "%(file)s raised an exception: %(x)s" % {'file':filename, 'x':x}) finally: f.close() ++++++ CheckSUIDPermissions.py ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -135,6 +135,10 @@ else: f += '/' + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + m = self.perms[f]['mode'] o = self.perms[f]['owner'] @@ -159,6 +163,10 @@ else: printWarning(pkg, 'permissions-directory-setuid-bit', msg) + if type == 010: + if not 'shared object' in pkgfile.magic: + printError(pkg, 'not-a-position-independent-executable', f) + if mode&02: need_verifyscript = True printError(pkg, 'permissions-world-writable', \ ++++++ config ++++++ --- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200 +++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200 @@ -139,6 +139,7 @@ 'pulse-rt', 'quagga', 'radiusd', + 'root', 'sabayon-admin', 'sapdb', 'shadow', @@ -217,7 +218,6 @@ 'nagios', 'named', 'news', - 'nobody', 'novell_nobody', 'novlifdr', 'novlxregd', @@ -558,7 +558,6 @@ addFilter(" apache2-naming-policy-not-applied") addFilter(" no-default-runlevel ") addFilter(" setgid-binary ") -addFilter(" non-standard-gid ") addFilter(" non-readable ") addFilter(" manpage-not-bzipped ") addFilter(" postin-without-ghost-file-creation ") ++++++ pie.config ++++++ from Config import * # This file should list daemons and programs that are likely to be set setuid # by users. Files listed in permissions.eays are automatically checked. setOption("PieExecutables", ( "/bin/ping", "/bin/ping6", "/bin/su", "/usr/bin/pidgin", "/sbin/arping", "/sbin/clockdiff", "/sbin/dhclient", "/sbin/dhcpcd", "/sbin/klogd", "/sbin/rpcbind", "/sbin/syslogd", "/sbin/tracepath", "/sbin/tracepath6", "/usr/bin/uniconv", "/usr/bin/achfile", "/usr/bin/adv1tov2", "/usr/bin/aecho", "/usr/bin/afile", "/usr/bin/afppasswd", "/usr/bin/at", "/usr/bin/cadaver", "/usr/bin/chage", "/usr/bin/chfn", "/usr/bin/chsh", "/usr/bin/ciptool", "/usr/bin/cnid_index", "/usr/bin/dig", "/usr/bin/dund", "/usr/bin/expiry", "/usr/bin/finger", "/usr/bin/getzones", "/usr/bin/gpasswd", "/usr/bin/gpg", "/usr/bin/gpgsplit", "/usr/bin/gpgv", "/usr/bin/hcitool", "/usr/bin/hidd", "/usr/bin/host", "/usr/bin/htpasswd", "/usr/bin/l2ping", "/usr/bin/lppasswd", "/usr/bin/megatron", "/usr/bin/nbplkup", "/usr/bin/nbprgstr", "/usr/bin/nbpunrgstr", "/usr/bin/ncplogin", "/usr/bin/ncpmap", "/usr/bin/net", "/usr/bin/newgrp", "/usr/bin/nmblookup", "/usr/bin/nslookup", "/usr/bin/nsupdate", "/usr/bin/nwsfind", "/usr/bin/omshell", "/usr/bin/pand", "/usr/bin/pap", "/usr/bin/papstatus", "/usr/bin/passwd", "/usr/bin/pdbedit", "/usr/bin/profiles", "/usr/bin/psorder", "/usr/bin/rcp", "/usr/bin/rexec", "/usr/bin/rfcomm", "/usr/bin/rlogin", "/usr/bin/rpcclient", "/usr/bin/rsh", "/usr/bin/scp", "/usr/bin/sdptool", "/usr/bin/sftp", "/usr/bin/showppd", "/usr/bin/smbcacls", "/usr/bin/smbclient", "/usr/bin/smbcontrol", "/usr/bin/smbcquotas", "/sbin/mount.cifs", "/usr/bin/smbpasswd", "/usr/bin/smbspool", "/usr/bin/smbstatus", "/usr/bin/smbtree", "/usr/bin/ssh", "/usr/bin/ssh-add", "/usr/bin/ssh-agent", "/usr/bin/ssh-keygen", "/usr/bin/ssh-keyscan", "/usr/bin/svn", "/usr/bin/svnadmin", "/usr/bin/svndumpfilter", "/usr/bin/svnlook", "/usr/bin/svnserve", "/usr/bin/svnversion", "/usr/bin/talk", "/usr/bin/tdbbackup", "/usr/bin/tdbdump", "/usr/bin/tdbtool", "/usr/bin/telnet", "/usr/bin/testparm", "/usr/bin/testprns", "/usr/bin/timeout", "/usr/bin/wbinfo", "/usr/lib/mit/bin/ftp", "/usr/lib/mit/bin/gss-client", "/usr/lib/mit/bin/kdestroy", "/usr/lib/mit/bin/kinit", "/usr/lib/mit/bin/klist", "/usr/lib/mit/bin/kpasswd", "/usr/lib/mit/bin/krb524init", "/usr/lib/mit/bin/ksu", "/usr/lib/mit/bin/kvno", "/usr/lib/mit/bin/rcp", "/usr/lib/mit/bin/rlogin", "/usr/lib/mit/bin/rsh", "/usr/lib/mit/bin/sclient", "/usr/lib/mit/bin/sim_client", "/usr/lib/mit/bin/telnet", "/usr/lib/mit/bin/uuclient", "/usr/lib/mit/bin/v4rcp", "/usr/lib/mit/sbin/ftpd", "/usr/lib/mit/sbin/gss-server", "/usr/lib/mit/sbin/kadmin", "/usr/lib/mit/sbin/kadmin.local", "/usr/lib/mit/sbin/kadmind", "/usr/lib/mit/sbin/kdb5_util", "/usr/lib/mit/sbin/klogind", "/usr/lib/mit/sbin/kprop", "/usr/lib/mit/sbin/kpropd", "/usr/lib/mit/sbin/krb524d", "/usr/lib/mit/sbin/krb5kdc", "/usr/lib/mit/sbin/kshd", "/usr/lib/mit/sbin/ktutil", "/usr/lib/mit/sbin/login.krb5", "/usr/lib/mit/sbin/sim_server", "/usr/lib/mit/sbin/sserver", "/usr/lib/mit/sbin/telnetd", "/usr/lib/mit/sbin/uuserver", "/usr/lib/news/bin/innd", "/usr/lib/news/bin/innbind", "/usr/lib/news/bin/rnews", "/usr/sbin/afpd", "/usr/sbin/amcheck", "/usr/sbin/amdd", "/usr/sbin/atalkd", "/usr/sbin/atd", "/usr/sbin/automount", "/usr/sbin/chat", "/usr/sbin/cnid_dbd", "/usr/sbin/cnid_metad", "/usr/sbin/cron", "/usr/sbin/cupsd", "/usr/sbin/dhcpd", "/usr/sbin/dhcrelay", "/usr/sbin/dnssec-keygen", "/usr/sbin/dnssec-signzone", "/usr/sbin/exim", "/usr/sbin/hciattach", "/usr/sbin/bluetoothd", "/usr/sbin/hciconfig", "/usr/sbin/hid2hci", "/usr/sbin/httpd2", "/usr/sbin/httpd2-prefork", "/usr/sbin/httpd2-worker", "/usr/sbin/in.fingerd", "/usr/sbin/in.ntalkd", "/usr/sbin/in.rexecd", "/usr/sbin/in.rlogind", "/usr/sbin/in.rshd", "/usr/sbin/in.telnetd", "/usr/sbin/irqbalance", "/usr/sbin/lwresd", "/usr/sbin/mailstats", "/usr/sbin/makemap", "/usr/sbin/named", "/usr/sbin/named-checkconf", "/usr/sbin/named-checkzone", "/usr/sbin/nmbd", "/usr/sbin/nscd", "/usr/sbin/ntlm_auth", "/usr/sbin/ntp-keygen", "/usr/sbin/ntpd", "/usr/sbin/ntpdc", "/usr/sbin/ntpq", "/usr/sbin/ntptime", "/usr/sbin/openvpn", "/usr/sbin/papd", "/usr/sbin/postfix", "/usr/sbin/pppd", "/usr/sbin/praliases", "/usr/sbin/radiusd", "/usr/sbin/rarpd", "/usr/sbin/rndc", "/usr/sbin/rndc-confgen", "/usr/sbin/rotatelogs2", "/usr/sbin/rpc.mountd", "/usr/sbin/rpc.nfsd", "/usr/sbin/rpc.rquotad", "/usr/sbin/rpc.rwalld", "/usr/sbin/rpc.yppasswdd", "/usr/sbin/rpc.ypxfrd", "/usr/sbin/safe_finger", "/usr/sbin/sendmail", "/usr/lib/sudo/sesh", "/usr/lib/openldap/slapd", "/usr/sbin/smartctl", "/usr/sbin/smartd", "/usr/sbin/smbd", "/usr/sbin/snmpd", "/usr/sbin/snmptrapd", "/usr/sbin/squid", "/usr/sbin/squidclient", "/usr/sbin/sshd", "/usr/sbin/stunnel", "/usr/sbin/suexec2", "/usr/sbin/tcpd", "/usr/sbin/tickadj", "/usr/sbin/traceroute", "/usr/sbin/traceroute6", "/usr/sbin/try-from", "/usr/sbin/utempter", "/usr/sbin/visudo", "/usr/sbin/vsftpd", "/usr/sbin/winbindd", "/usr/sbin/xinetd", "/usr/sbin/yppush", "/usr/sbin/ypserv", "/usr/bin/zone2ldap", ) ) ++++++ rpmlint-pie.diff ++++++
From cdf3d7e6338e8133d9b2b8f19de8e5a3308327bc Mon Sep 17 00:00:00 2001 From: Ludwig Nussel
Date: Mon, 9 May 2011 11:54:48 +0200 Subject: [PATCH] check for position independent executables
---
BinariesCheck.py | 11 +++++++++++
config | 4 ++++
2 files changed, 15 insertions(+), 0 deletions(-)
Index: rpmlint-1.1/BinariesCheck.py
===================================================================
--- rpmlint-1.1.orig/BinariesCheck.py
+++ rpmlint-1.1/BinariesCheck.py
@@ -25,6 +25,9 @@ DEFAULT_SYSTEM_LIB_PATHS = (
'/lib', '/usr/lib', '/usr/X11R6/lib',
'/lib64', '/usr/lib64', '/usr/X11R6/lib64')
+DEFAULT_PIE_EXECUTABLES = (
+)
+
class BinaryInfo:
needed_regex = re.compile('\s+\(NEEDED\).*\[(\S+)\]')
@@ -189,6 +192,7 @@ so_regex = re.compile('/lib(64)?/[^/]+\.
validso_regex = re.compile('(\.so\.\d+(\.\d+)*|\d\.so)$')
sparc_regex = re.compile('SPARC32PLUS|SPARC V9|UltraSPARC')
system_lib_paths = Config.getOption('SystemLibPaths', DEFAULT_SYSTEM_LIB_PATHS)
+pie_executables = Config.getOption('PieExecutables', DEFAULT_PIE_EXECUTABLES)
usr_lib_regex = re.compile('^/usr/lib(64)?/')
bin_regex = re.compile('^(/usr(/X11R6)?)?/s?bin/')
soversion_regex = re.compile('.*?([0-9][.0-9]*)\\.so|.*\\.so\\.([0-9][.0-9]*).*')
@@ -377,6 +381,9 @@ class BinariesCheck(AbstractCheck.Abstra
if not is_exec and not is_shobj:
continue
+ if fname in pie_executables and not is_shobj:
+ printError(pkg, 'not-a-position-independent-executable', fname)
+
if is_exec:
if bin_regex.search(fname):
@@ -598,6 +605,10 @@ that use prelink, make sure that prelink
placing a blacklist file in /etc/prelink.conf.d. For more information, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=256900#49''',
+'not-a-position-independent-executable',
+'''As per distribution policy the binary must be position independent. Add
+-fPIE to CFLAGS and -pie to LDFLAGS'''
+
'unstripped-binary-or-object',
'''stripping debug info from binaries happens automatically according to global
project settings. So there's normally no need to manually strip binaries.
Index: rpmlint-1.1/config
===================================================================
--- rpmlint-1.1.orig/config
+++ rpmlint-1.1/config
@@ -130,6 +130,10 @@ from Config import *
# Type: tuple of strings, default: see DEFAULT_SYSTEM_LIB_PATHS in BinariesCheck
#setOption("SystemLibPaths", ('/lib', '/lib64', '/usr/lib', '/usr/lib64'))
+# List of binaries that must be position independent executables
+# Type: tuple of strings, default: empty
+#setOption("PieExecutables", ('/bin/ping', '/bin/su'))
+
# Whether to want default start/stop runlevels specified in init scripts.
# Type: boolean, default: True
#setOption("UseDefaultRunlevels", True)
++++++ suse-file-var-run.diff ++++++
--- /var/tmp/diff_new_pack.Xnh5Rj/_old 2011-05-16 11:31:42.000000000 +0200
+++ /var/tmp/diff_new_pack.Xnh5Rj/_new 2011-05-16 11:31:42.000000000 +0200
@@ -1,35 +1,48 @@
-Index: FilesCheck.py
-===================================================================
---- FilesCheck.py.orig
-+++ FilesCheck.py
-@@ -901,7 +901,7 @@ class FilesCheck(AbstractCheck.AbstractC
- is_kernel_package:
- printError(pkg, "kernel-modules-not-in-kernel-packages", f)
-
-- if tmp_regex.search(f):
-+ if tmp_regex.search(f) and f not in ghost_files:
- printError(pkg, 'dir-or-file-in-tmp', f)
- elif f.startswith('/mnt/'):
- printError(pkg, 'dir-or-file-in-mnt', f)
-@@ -911,6 +911,8 @@ class FilesCheck(AbstractCheck.AbstractC
+From 811469ebe70ea65029d64ae2e7bc6e9828f59c9e Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel