Debian Bug report logs - #898822
Detect data encoded/embedded in HTML "Data" URI schemes

version graph

Package: lintian; Maintainer for lintian is Debian Lintian Maintainers <[email protected]>; Source for lintian is src:lintian (PTS, buildd, popcon).

Reported by: Bastien ROUCARIES <[email protected]>

Date: Wed, 16 May 2018 09:27:02 UTC

Severity: wishlist

Tags: moreinfo

Found in version lintian/2.5.86

Full log

🔗 View this message in rfc822 format

X-Loop: [email protected]
Subject: Bug#898822: [RFC] Detect data embeded image in html like file
Reply-To: Bastien ROUCARIES <[email protected]>, [email protected]
Resent-From: Bastien ROUCARIES <[email protected]>
Resent-To: [email protected]
Resent-CC: Debian Lintian Maintainers <[email protected]>
X-Loop: [email protected]
Resent-Date: Wed, 16 May 2018 14:03:01 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Debian-PR-Message: followup 898822
X-Debian-PR-Package: lintian
X-Debian-PR-Keywords: moreinfo
References: <CAE2SPAa5-AroTRZH1ak1ZhzrPyncm2PVUaNhkawTopEBg9+byw@mail.gmail.com> <1526463195.2092690.1373911888.61560B04@webmail.messagingengine.com> <CAE2SPAa5-AroTRZH1ak1ZhzrPyncm2PVUaNhkawTopEBg9+byw@mail.gmail.com>
X-Debian-PR-Source: lintian
Received: via spool by [email protected] id=B898822.15264792697253
          (code B ref 898822); Wed, 16 May 2018 14:03:01 +0000
Received: (at 898822) by bugs.debian.org; 16 May 2018 14:01:09 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.1-bugs.debian.org_2005_01_02
	(2015-04-28) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.4 required=4.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FOURLA,FREEMAIL_FROM,HAS_BUG_NUMBER,
	MONOTONE_WORDS_2_15,MURPHY_DRUGS_REL8,RCVD_IN_DNSWL_NONE,SPF_PASS,TXREP
	autolearn=ham autolearn_force=no version=3.4.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 64; hammy, 150; neutral, 155; spammy,
	0. spammytokens: hammytokens:0.000-+--U*lamby, 0.000-+--sk:lambyd,
	0.000-+--sk:lamby@d, [email protected], 0.000-+--lambydebianorg
Received: from mail-ot0-x241.google.com ([2607:f8b0:4003:c0f::241])
	by buxtehude.debian.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.89)
	(envelope-from <[email protected]>)
	id 1fIwzN-0001se-MF
	for [email protected]; Wed, 16 May 2018 14:01:09 +0000
Received: by mail-ot0-x241.google.com with SMTP id m11-v6so1019052otf.3
        for <[email protected]>; Wed, 16 May 2018 07:01:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=s24O7SLxgxupoXaBbZXSIJLLudzAK+HIkOly/0YLJnA=;
        b=eE9zzKSWQCjPDAqrTVk4UizNHOx9WSqS/+JWJOsu2C7jV5ckEyPrM6NQ739shYl0Ip
         DCZQ6GXw9w9iEObYWqqjmJ6JGeE68us2FS/tmKZKWOqe9Z/KP31WNVpGbvNEmgZNqe0t
         7JhwlPi/P7wXCtq1J+UeMuXdTGlGh6NhyTNU1BVDYjQt4XAY45m1QAxaAuGhS+7IbJ4s
         QtxV/0RFHI0JmJ6ispeOogoRYF31mbE/BU9Xu92WLnz9ap9vGBa/6lSYtB67eSd2nASt
         BpSUOGO+k1JsqKuhTJ2qrp3RbsLzL/krAUdCeFOPlzQfuUyKfuk4B3PTfH6tc4skllKO
         abPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=s24O7SLxgxupoXaBbZXSIJLLudzAK+HIkOly/0YLJnA=;
        b=hoAm0+k75AWjDB6LlWcoNhWO2syUV0ps3bZExV/xcgKPUGLVyBNqri46dkXclYceFL
         HicNgZb57oJA2DS/vpZAW4MymbdlQwsvNnfGoibFT2LStQD8HT2khXJj/STSP9x4ZNRD
         2ROyLl0/m0B/furRFQIBjWJbZmt5vSrExHWKHxAOn63eDX9zbSRpJGwG+TIyZUarOLhz
         hX/JusoY2/hMKNsWyFGE7EFxSOs4vMNO/CkfsQRQmssqQ+vnFG3ncMitYU126KJ0JGZ1
         XlMDuLoAr40N00/qubIONadXrnLakIUtMnWyuGllSqscurfELmIjfjQM4LomDuYmaivE
         dTig==
X-Gm-Message-State: ALKqPwcNvriwzdPHyje+PHWUlCJ0YilRq5KzHVo9pBnotUOEK0Kue28h
	Ki9DWS+787iAUj9ox9rl0JLdA4iEjgTG1cZjJ8E=
X-Google-Smtp-Source: AB8JxZq2diUWbpqFnH0wfweIc0c6UlaNVk0WwjzV0BySG9CmxS0UR7Qcyqdx+woc/JZXfRLOxhHcIU9wwwYuzM1DtVg=
X-Received: by 2002:a9d:3ea5:: with SMTP id b34-v6mr708227otc.283.1526479267704;
 Wed, 16 May 2018 07:01:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.208.33 with HTTP; Wed, 16 May 2018 07:00:37 -0700 (PDT)
In-Reply-To: <1526463195.2092690.1373911888.61560B04@webmail.messagingengine.com>
From: Bastien ROUCARIES <[email protected]>
Date: Wed, 16 May 2018 16:00:37 +0200
Message-ID: <CAE2SPAYz8khz5LcFG0qZ6dSTbEs_QQPHf1cMLji6fdnV+MaW3g@mail.gmail.com>
To: Chris Lamb <[email protected]>
Cc: [email protected]
Content-Type: text/plain; charset="UTF-8"

On Wed, May 16, 2018 at 11:33 AM, Chris Lamb <[email protected]> wrote:
> retitle 898822 Detect data encoded/embedded in HTML "Data" URI schemes
> severity 898822 wishlist
> tags 898822 + moreinfo
> thanks
>
> Hi Bastien,
>
> [..]
>
> I think some concrete examples here would be useful in triaging/
> prioritising this, as well as working out whether it is feasible or
> sensible :)
Code search with request
(https://codesearch.debian.net/search?q=src%3D%22data%3A&page=1&perpkg=1)
give 75 packages affected:
asciidoctor
cacti
chemical-structures
chromium-browser
ckeditor
classified-ads
diffoscope
edbrowse
firefox
firefox-esr
fontforge
fossil
gitinspector
golang-github-microcosm-cc-bluemonday
html5lib
icingaweb2
ikiwiki
ipython
jmol
julia
kmplayer
kopano-webapp
landslide
libcgi-application-plugin-dbiprofile-perl
libxml-atom-fromowl-perl
libxml-atom-owl-perl
lua-apr
matplotlib
mayavi2
mediawiki
nbconvert
node-normalize.css
notmuch
oca-core
openlp
opennebula
openscad
pandoc
php-doctrine-bundle
php-getid3
php-kdyby-events
phpmyadmin
python-cartopy
python-darkslide
python-mne
python-pweave
python-pydub
python-pyqrcode
python-qtconsole
qtwebengine-opensource-src
rails
rapid-photo-downloader
r-cran-knitr
r-cran-repr
r-cran-rmarkdown
rdkit
request-tracker4
roundcube
rss-bridge
rubocop
sagemath
sass-spec
simplesamlphp
spip
sympa
thunderbird
trac
turbogears2-doc
veusz
virtuoso-opensource
vistrails
woo
xhtml2pdf
yt
zotero-standalone-build

Some are clearly abuse see:
1. https://sources.debian.org/src/chemical-structures/2.2.dfsg.0-12/debian/patches/privacy.patch/?hl=10#L10
(render package undistributable one of sourceforge logo)
2. https://codesearch.debian.net/show?file=lua-apr_0.23.2.dfsg-4%2Fsrc%2Fbase64.c&line=33
FTBFS not prefered modification source
3. https://sources.debian.org/src/rubocop/0.52.1+dfsg-1/debian/patches/04-adjust-tests-due-to-rubocop-logo-removal-from-package.diff/?hl=25#L25
(remove logo as file not as included base64 => RC undistributable)
4.https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/debian/patches/2003_avoid_privacy_breach.patch/?hl=59#L59
Border line could use the same trick that I have done in
libjs-normalize.css to generate with js the image (not prefered source
of modification)

I have not checked all the package.

another risk is to carry forbidden image like porn of think like this
is this stuff. I prefer lintian to signal pedantically in order to
manually check acceptance.

Better safe than sorry

Bastien


>
> Best wishes,
>
> --
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      [email protected] / chris-lamb.co.uk
>        `-

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 11:47:06 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.