
Hello community, here is the log from the commit of package post-build-checks checked in at Sat Nov 1 23:14:51 CET 2008. -------- --- post-build-checks/post-build-checks.changes 2008-10-23 11:51:39.000000000 +0200 +++ /mounts/work_src_done/STABLE/post-build-checks/post-build-checks.changes 2008-10-28 09:57:12.000000000 +0100 @@ -1,0 +2,11 @@ +Tue Oct 28 09:57:02 CET 2008 - lnussel@suse.de + +- remove suid check. replaced by rpmlint script + +------------------------------------------------------------------- +Mon Oct 27 23:57:31 CET 2008 - meissner@suse.de + +- added warning checks for: array subscript over/underflow, + void return not expected warnings. bnc#240922,bnc#439283 + +------------------------------------------------------------------- calling whatdependson for head-i586 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ post-build-checks.spec ++++++ --- /var/tmp/diff_new_pack.ws5667/_old 2008-11-01 23:14:41.000000000 +0100 +++ /var/tmp/diff_new_pack.ws5667/_new 2008-11-01 23:14:41.000000000 +0100 @@ -24,7 +24,7 @@ AutoReqProv: on Summary: post checks for build after rpms have been created Version: 1.0 -Release: 51 +Release: 53 PreReq: aaa_base permissions sed Source0: %{name}-%{version}.tar.bz2 BuildArch: noarch @@ -79,6 +79,11 @@ /usr/lib/build %changelog +* Tue Oct 28 2008 lnussel@suse.de +- remove suid check. replaced by rpmlint script +* Tue Oct 28 2008 meissner@suse.de +- added warning checks for: array subscript over/underflow, + void return not expected warnings. bnc#240922,bnc#439283 * Thu Oct 23 2008 lnussel@suse.de - suid check: tetex -> texlive * Wed Oct 22 2008 lnussel@suse.de ++++++ post-build-checks-1.0.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/post-build-checks-1.0/checks/07-check-suid new/post-build-checks-1.0/checks/07-check-suid --- old/post-build-checks-1.0/checks/07-check-suid 2008-10-23 11:50:37.000000000 +0200 +++ new/post-build-checks-1.0/checks/07-check-suid 1970-01-01 01:00:00.000000000 +0100 @@ -1,167 +0,0 @@ -#!/usr/bin/perl -w - -BEGIN { - my $broot = $ENV{'BUILD_ROOT'}; - push @INC, "$broot/usr/lib/build/checks-data"; -} - -use strict; -use RPMQ; - -### BEGIN CONFIG ## - -my %permissions_d_whitelist = map { '/etc/permissions.d/'.$_ => 1 } qw/ -lprng -lprng.paranoid -mail-server -mail-server.paranoid -postfix -postfix.paranoid -sendmail -sendmail.paranoid -squid -texlive -texlive.paranoid -/; - -### END CONFIG ## - -my $ret = 0; -my $needsecteam = 0; - -my $root = $ENV{'BUILD_ROOT'} || die "must set \$BUILD_ROOT"; - -print "... checking for /etc/permissions* violations\n"; - -my %perms; - -my %files = map { s/.*\///; s/\..*//; '/etc/permissions.d/'.$_ => 1 } glob($root.'/etc/permissions.d/*'); -my @files = keys %files; -undef %files; - -unshift @files, qw(/etc/permissions); - -sub readpermfile($) -{ - my $f = shift; - open(FH, '<', $f) or die "$f: $!"; - while(<FH>) { - chomp; - s/#.*//; - next if(/^$/); - - my ($file, $owner, $mode, $garbage) = split(/\s+/); - - $owner =~ s/\./:/; - - $perms{$file}{'owner'} = $owner; - $perms{$file}{'mode'} = oct($mode)&07777; - } - close(FH) -} - -for my $i (@files) -{ - my $f = $root.$i; - readpermfile($f) if (-e $f); - $f .= '.secure'; - readpermfile($f) if(-e $f); -} - -for my $rpm (glob($root."/usr/src/packages/RPMS/*/*")) { - my (@errors, @warnings); - my %r = RPMQ::rpmq_many($rpm, qw/FILENAMES FILEMODES FILEUSERNAME FILEGROUPNAME/); - - my $i = 0; - for my $file (@{$r{'FILENAMES'}}) { - - my $mode = $r{'FILEMODES'}->[$i]; - my $owner = $r{'FILEUSERNAME'}->[$i].':'.$r{'FILEGROUPNAME'}->[$i]; - ++$i; - -# S_IFSOCK 014 socket -# S_IFLNK 012 symbolic link -# S_IFREG 010 regular file -# S_IFBLK 006 block device -# S_IFDIR 004 directory -# S_IFCHR 002 character device -# S_IFIFO 001 FIFO - my $type = ($mode>>12)&017; - - $mode &= 07777; - if(exists($perms{$file}) || ($type == 04 && exists($perms{$file.'/'}))) { - if($type == 012) { - push @warnings, "permissions handling for symlink $file is useless\n"; - next; - } - my ($m, $o); - if($type == 04) { - if(exists($perms{$file})) { - # legacy permissions files may still contain directories - # without slash appended. - push @warnings, "$file is a directory, please append a slash to the filename\n"; - $m = $perms{$file}{'mode'}; - $o = $perms{$file}{'owner'}; - } else { - $m = $perms{$file.'/'}{'mode'}; - $o = $perms{$file.'/'}{'owner'}; - } - } else { - $m = $perms{$file}{'mode'}; - $o = $perms{$file}{'owner'}; - } - - if ($mode != $m) { - push @errors, sprintf("\%s has mode \%o but should be \%o\n", $file, $mode, $m); - } - - if ($owner ne $o) { - push @errors, "$file belongs to $owner but should be $o\n"; - } - } elsif($type != 012) { - if(exists($perms{$file.'/'})) { - push @errors, "$file is a file but listed as directory\n"; - } - - if($mode&06000) { - if($type != 04) { - push @errors, sprintf "\%s is packaged with setuid/setgid bits (\%o)\n", $file, $mode; - $needsecteam = 1; - } else { - push @warnings, sprintf "\%s is packaged with setuid/setgid bits (\%o)\n", $file, $mode; - } - } - - if($mode&02) { - push @errors, sprintf "\%s is packaged with world writable permissions (\%o)\n", $file, $mode; - $needsecteam = 1; - } - } - - if($file =~ /^\/etc\/permissions\.d\// && !exists($permissions_d_whitelist{$file})) { - push @errors, "unauthorized permissions file: $file\n"; - $needsecteam = 1; - } - } - close(FH); - - if(@warnings || @errors) { - $rpm =~ s/.*\/(.*?\/.*?)/$1/; - print ' '.$rpm.":\n"; - } - for my $w (@warnings) { - print ' WARNING: '.$w; - } - for my $e (@errors) { - print ' ERROR: '.$e; - } -} - -if($needsecteam) { - print "\nPlease contact the SUSE Security Team <security\@suse.de>\n"; - $ret = 1; -} - -exit $ret; - -# vim: sw=4 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/post-build-checks-1.0/checks-data/check_gcc_output new/post-build-checks-1.0/checks-data/check_gcc_output --- old/post-build-checks-1.0/checks-data/check_gcc_output 2008-10-14 15:27:32.000000000 +0200 +++ new/post-build-checks-1.0/checks-data/check_gcc_output 2008-10-27 23:52:44.000000000 +0100 @@ -32,6 +32,8 @@ "warning:.*implicit .*'(recv|recvfrom|read|pread|pread64|readlink|getwd|getcwd|fgets|fgets_unlock|strncat|strcat|memmove|memcpy|mempcpy|strpcpy|strcpy|strncpy|printf|sprintf|snprintf|vprintf|vsprintf|vsnprintf|fprintf|vfprintf|gets|memset|bzero|bcopy|strlen|strcmp|wcscpy|wcpcpy|wcsncpy|wcpncpy|wcscat|swprintf|vswprintf|fgetws|wcsrtombs|mbsrtowcs|wcrtomb|wcsnrtombs|ptsname|realpath|wctomb|mbstowcs|ttyname_r|getlogin_r|getgroups|confstr|gethostname|getdomainname|)'" => "implicit-fortify-decl", 'warning:.*memset used with constant zero length parameter' => "memset-with-zero-length", 'warning:.*comparison with string literal' => "stringcompare", + "warning:.*'return' with no value, in function returning non-void" => "voidreturn", + 'warning:.*array subscript is (below|above) array bounds' => "arraysubscript" ); my %warn_desc = ( @@ -66,6 +68,12 @@ " - Implicit *read* functions need #include <unistd.h>.\n" . " - Implicit *recv* functions need #include <sys/socket.h>.\n", "no-rpm-opt-flags" => "File is compiled without RPM_OPT_FLAGS", + + "voidreturn" => "A function uses a 'return;' statement, but has actually a value\n" . + "to return, like an integer ('return 42;') or similar.\n", + "arraysubscript" => "A function overflows or underflows an array access. This could be a real error,\n" . + "but occasionaly this condition is also misdetected due to loop unrolling or strange pointer\n" . + "handling. So this is warning only, please review.\n" ); my %warn_severity = ( @@ -86,6 +94,8 @@ "bufferoverflowstrncat" => 'E', "stringcompare" => 'E', "uninitialized-variable" => 'W', + "voidreturn" => "W", + "arraysubscript" => "W", ); #---------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de