Ubuntu
libtext-markdown-discount-perl package

[MIR] new dependencies of lintian

Bug #1899213 reported by Balint Reczey
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
discount (Ubuntu)
Fix Released
Undecided
Unassigned
libhtml-html5-entities-perl (Ubuntu)
Fix Released
Undecided
Matthias Klose
libproc-processtable-perl (Ubuntu)
Fix Released
Undecided
Matthias Klose
libtext-markdown-discount-perl (Ubuntu)
Fix Released
Undecided
Matthias Klose
lintian (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

libproc-processtable-perl, libhtml-html5-entities-perl, libtext-markdown-discount-perl:

Well maintained, simple Perl packages without any problem.
Maintainer of all in Debian is the Debian Perl Group.
The Foundations Team is subscribed to the bug reports

libhtml-html5-entities-perl: The last upload took place quite some time ago, but the next upload is prepared in git already.
Also there is no autopkgtest set for the package.

---

discount:

Availability
============
Built for all supported architectures. In sync with Debian.

Rationale
=========

libmarkdown2 is a dependency of libtext-markdown-discount-perl.

Security
========

There were a few security issues which are resolved now:
https://security-tracker.debian.org/tracker/source-package/discount

Quality assurance
=================
- the Foundations Team is subscribed to the bug reports
- dh_auto_test runs the tests
- The package does not have an autopkgtest

https://bugs.launchpad.net/ubuntu/+source/discount
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=discont
https://github.com/Orc/discount/issues

Dependencies
============
No universe binary dependencies

Standards compliance
====================
4.4.0, debhelper compat 12, dh simple rules

Maintenance
===========
Actively maintained:
https://github.com/Orc/discount

Not team maintained in Debian.
https://tracker.debian.org/pkg/discount

See original description
Balint Reczey (rbalint)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in discount (Ubuntu):
status: New → Confirmed
Changed in libhtml-html5-entities-perl (Ubuntu):
status: New → Confirmed
Changed in libproc-processtable-perl (Ubuntu):
status: New → Confirmed
Changed in libtext-markdown-discount-perl (Ubuntu):
status: New → Confirmed
Balint Reczey (rbalint)
description: updated
Balint Reczey (rbalint)
description: updated
Balint Reczey (rbalint)
description: updated
Changed in discount (Ubuntu):
status: Confirmed → New
Changed in libhtml-html5-entities-perl (Ubuntu):
status: Confirmed → New
Changed in libproc-processtable-perl (Ubuntu):
status: Confirmed → New
Changed in libtext-markdown-discount-perl (Ubuntu):
status: Confirmed → New
Balint Reczey (rbalint)
tags: added: update-excuse
Changed in lintian (Ubuntu):
status: New → Incomplete
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Doko wanted to look into these lintian-triggered dependencies from the MIR team (per last few meetings we had) so I'm assigning him here for clarity.

Changed in libtext-markdown-discount-perl (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Changed in libproc-processtable-perl (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Changed in libhtml-html5-entities-perl (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Changed in discount (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Balint Reczey (rbalint)
description: updated
Revision history for this message
Matthias Klose (doko) wrote :

looks ok for the perl packages.

for discount, please

 - add the missing copyright holder(s) (required)

 - forward the Ubuntu delta to Debian (recommended).

Assigning the security team for a review for discount.

Changed in discount (Ubuntu):
assignee: Matthias Klose (doko) → Ubuntu Security Team (ubuntu-security)
Changed in libhtml-html5-entities-perl (Ubuntu):
status: New → In Progress
Changed in libproc-processtable-perl (Ubuntu):
status: New → In Progress
Changed in libtext-markdown-discount-perl (Ubuntu):
status: New → In Progress
Revision history for this message
Balint Reczey (rbalint) wrote :

@doko, thanks for the review.

I've forwarded the delta by pushing it to the packaging repo on Salsa but the package is not team maintained and I don't think that NMU-ing it just with that fix would be reasonable.

I've taken a look again at d/copyrights and checked the source with decopy and grep, also looking at some of the files but I haven't found copyright holders that were missed. Could you please give some more hint on what is missing?

Revision history for this message
Matthias Klose (doko) wrote :

my bad, clrified on irc, the copyright is complete

Matthias Klose (doko)
Changed in libhtml-html5-entities-perl (Ubuntu):
status: In Progress → Fix Released
Changed in libproc-processtable-perl (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

I reviewed discount 2.2.6-1ubuntu1 as checked into hirsute. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

discount is an implementation of John Gruber's Markdown markup language.

- CVE History:
  - All CVEs bellow are open
    CVE-2018-11468 - medium (affects only xenial and bionic)
    CVE-2018-11503 - medium (affects only xenial and bionic)
    CVE-2018-11504 - medium (affects only xenial and bionic)
    CVE-2018-12495 - low (affects only xenial and bionic)

- Build-Depends?
  - libmarkdown2, libmarkdown2-dev
- pre/post inst/rm scripts?
  - there are two .install scripts:
    - libmarkdown2-dev.install does:
      - echo mkdio.h usr/include/$DEB_HOST_MULTIARCH
      - echo libmarkdown.so usr/lib/$DEB_HOST_MULTIARCH
      - echo libmarkdown.pc usr/lib/$DEB_HOST_MULTIARCH/pkgconfig/
    - libmarkdown2.install does:
      - echo libmarkdown.so.* usr/lib/$DEB_HOST_MULTIARCH
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  -rwxr-xr-x root/root 20000 2020-10-10 16:43 ./usr/bin/makepage
  -rwxr-xr-x root/root 24672 2020-10-10 16:43 ./usr/bin/markdown
  -rwxr-xr-x root/root 24160 2020-10-10 16:43 ./usr/bin/mkd2html
  -rwxr-xr-x root/root 32624 2020-10-10 16:43 ./usr/bin/theme
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  - there are tests but I'm not 100% sure they run on build time.
- cron jobs?
  - none
- Build logs:
  None

- Processes spawned?
  one, but run only if it HAS_GIT flag. These are build utilities exec files only.

- Memory management?
  - In a first glance, it is ok.
  - it uses some strcpy with some argv/argc, but the memory
    buffers are set size using the argv/argc. In any case, probably need further looks
- File IO?
 - Sounds ok
- Logging?
 - Some logs using perror
- Environment variable usage?
  - it uses MARKDOWN_FLAGS amd AMALLOC_STATISTICS env variables. But not seems weird.
- Use of privileged functions?
   - None
- Use of cryptography / random number sources etc?
 - None
- Use of temp files?
 - None
- Use of networking?
  - None
- Use of WebKit?
 - None
- Use of PolicyKit?
 - None
- Any significant cppcheck results?
  - lots of Expression errors as in:
sio.c:14:5: error: Expression '((*iot).size++)[((*iot).size<(*iot).alloc)?((*iot).text):((*iot).text=(*iot).text?realloc((*iot).text,sizeof(*iot).text[0]*((*iot).alloc+=100)):malloc(sizeof(*iot).text[0]*((*iot).alloc+=100)))]' depends on order of evaluation of side effects [unknownEvaluationOrder]
    EXPAND(*iot) = c;
- Any significant Coverity results?
   - Some possible NULL dereference in markdown.c 958 as p is passed without be checked.
   - same in line 996 markdown.c
- Any significant shellcheck results?
  - not that relevant.
- Any significant bandit results?
   - None

There are few things that I believe should be address first to ACK it, as re-check the possible NULL dereferences were it was pointed.
But in general, from me it's ACK.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

In order to any further check against coverity results. check this file.

Revision history for this message
Matthias Klose (doko) wrote :

filed LP: #1912503 for the discount improvements

Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
discount 2.2.6-1ubuntu1 in hirsute: universe/text -> main
discount 2.2.6-1ubuntu1 in hirsute amd64: universe/text/optional/100% -> main
discount 2.2.6-1ubuntu1 in hirsute arm64: universe/text/optional/100% -> main
discount 2.2.6-1ubuntu1 in hirsute armhf: universe/text/optional/100% -> main
discount 2.2.6-1ubuntu1 in hirsute i386: universe/text/optional/100% -> main
discount 2.2.6-1ubuntu1 in hirsute ppc64el: universe/text/optional/100% -> main
discount 2.2.6-1ubuntu1 in hirsute riscv64: universe/text/optional/100% -> main
discount 2.2.6-1ubuntu1 in hirsute s390x: universe/text/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute amd64: universe/libs/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute arm64: universe/libs/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute armhf: universe/libs/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute i386: universe/libs/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute ppc64el: universe/libs/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute riscv64: universe/libs/optional/100% -> main
libmarkdown2 2.2.6-1ubuntu1 in hirsute s390x: universe/libs/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute amd64: universe/libdevel/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute arm64: universe/libdevel/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute armhf: universe/libdevel/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute i386: universe/libdevel/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute ppc64el: universe/libdevel/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute riscv64: universe/libdevel/optional/100% -> main
libmarkdown2-dev 2.2.6-1ubuntu1 in hirsute s390x: universe/libdevel/optional/100% -> main
22 publications overridden.

Changed in discount (Ubuntu):
status: New → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
libtext-markdown-discount-perl 0.12-1build1 in hirsute: universe/perl -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute amd64: universe/perl/optional/100% -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute arm64: universe/perl/optional/100% -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute armhf: universe/perl/optional/100% -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute i386: universe/perl/optional/100% -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute ppc64el: universe/perl/optional/100% -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute riscv64: universe/perl/optional/100% -> main
libtext-markdown-discount-perl 0.12-1build1 in hirsute s390x: universe/perl/optional/100% -> main
8 publications overridden.

Changed in libtext-markdown-discount-perl (Ubuntu):
status: In Progress → Fix Released
Changed in lintian (Ubuntu):
status: Incomplete → Invalid
Seth Arnold (seth-arnold)
Changed in discount (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.