Your message dated Sat, 8 Aug 2020 13:54:20 -0300 with message-id <20200808135420.434c96bf@vostok> and subject line Re: Bug#824392: Missing validation of completion script in dh_bash-completion has caused the Debian Bug report #824392, regarding Missing validation of completion script in dh_bash-completion to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 824392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824392 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: bash-completion Version: 1:2.1-4.3 Severity: normal Tags: patch The man page says: It can be a proper completion snippet, and in that case it would be installed in the completion directory, and no other actions would be performed. Bug #824385 in initramfs-tools occurred because I failed to update the list and dh_bash-completion then quietly fell back to treating it as a completion snippet. I believe a completion snippet must include a 'complete' command, so please consider applying this patch to add minimal validation of the possible snippet. --- bash-completion-2.1/debian/extra/debhelper/dh_bash-completion +++ bash-completion-2.1/debian/extra/debhelper/dh_bash-completion @@ -55,7 +55,8 @@ # try parsing a list of files @install = filedoublearray($completions); - foreach my $set (@install) { + for my $i (0..$#install) { + my $set = $install[$i]; my @filelist; my @tmp = @$set; if (@$set > 1) { @@ -77,9 +78,19 @@ } if (!@found || !-e $found[0]) { - warning "file-list parsing failed, installing as proper snippet"; - - doit("install", "-p", "-m644", $completions, "$bc_dir/$package"); + # If we failed on the first line, and at + # least one of the lines begins with the + # word 'complete', assume it's a proper + # snippet rather than a list. Otherwise + # the format is ambiguous, so fail. + if ($i == 0 && + grep({ $_->[0] eq 'complete' } + @install)) { + warning "file-list parsing failed, installing as proper snippet"; + doit("install", "-p", "-m644", $completions, "$bc_dir/$package"); + } else { + error "file-list parsing failed"; + } next PKG } push @filelist, @found; --- END --- Ben. -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bash-completion depends on: ii bash 4.3-14+b1 ii dpkg 1.18.7 bash-completion recommends no packages. bash-completion suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Version: 1:2.10-2 A check for proper completion snippet has been provided by Sergio and integrated into dh_bash-completion [1]. It doesn't fail if it can't determine whether the file is proper snippet or a file list, rather, it falls back to the previous algorithm. Anyhow, I believe this addresses the concerns raised in this bug report. Thanks! [1] https://salsa.debian.org/debian/bash-completion/-/commit/9230db41952b8cf95e3b814455c7f268d485829a
--- End Message ---
