Failing Unicode check in perl-Prima

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I observer a Unicode check failure in fedora-ci.koji-build.rpminspect.static-analysis test on 
perl-Prima-1.70-1.fc40 package in Fedora CI
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-54d3e14b6e>:

    A forbidden code point, 0x202D, was found in the
    Prima-1.70/Prima/Drawable/Glyphs.pm source file on line 999 at column 3.
    This source file is used by perl-Prima.spec.

    Suggested remedy:

    The rpminspect configuration file contains a list of forbidden Unicode
    code points. One was found in the extracted and patched source tree or in
    one of the text source files in the source RPM. Either remove this code
    point or discuss the situation with the Product Security Team to determine
    the correct course of action.

This is an excerpt from the Glyphs.pm file:

   995  =for latex-makedoc cut
   996
   997     use Prima;
   998     $::application-> begin_paint;
   999     $::application-> text_shape_out('אפס123', 0,0);
  1000
  1001     123ספא
  1002
  1003  =for latex-makedoc cut

As you can see it's a text from a documentation in POD format. The
documentation is interleaved with a Perl code.

I classify the test finding a false positive because Fedora rpminspect policy
excludes documentation files. Though rpminspect cannot split a documentation
from a code in a single file.

I tried to disable the unicode check with a local rpminspect.yaml file, but
rpminspect insists on security checks not to be overrided be pacakge:

$ rpminspect -c /usr/share/rpminspect/fedora.yaml -T unicode perl-Prima-1.70-1.fc40.src.rpm
rpminspect: *** ignoring 'unicode' section in /tmp/rpminspect.yaml; only allowed in system-wide configuration


My questions:

Do you agree it's a false positve?
Can you sanction ammending Fedora rpminspct policy with:

	unicode:
		ignore:
			# 0x202D character used on purpose to demonstrate RLE in
			# a documentation.
			- Prima-*/Prima/Drawable/Glyphs.pm

-- Petr

Attachment: signature.asc
Description: PGP signature

_______________________________________________
security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux