On Wed, 6 Sep 2023 12:26:44 +0200 Petr Pisar wrote: > Hello, > > I observer a Unicode check failure in fedora-ci.koji-build.rpminspect.static-analysis test on > perl-Prima-1.70-1.fc40 package in Fedora CI > <https://bodhi.fedoraproject.org/updates/FEDORA-2023-54d3e14b6e>: > > A forbidden code point, 0x202D, was found in the > Prima-1.70/Prima/Drawable/Glyphs.pm source file on line 999 at column 3. > This source file is used by perl-Prima.spec. > > Suggested remedy: > > The rpminspect configuration file contains a list of forbidden Unicode > code points. One was found in the extracted and patched source tree or in > one of the text source files in the source RPM. Either remove this code > point or discuss the situation with the Product Security Team to determine > the correct course of action. > > This is an excerpt from the Glyphs.pm file: > > 995 =for latex-makedoc cut > 996 > 997 use Prima; > 998 $::application-> begin_paint; > 999 $::application-> text_shape_out('אפס123', 0,0); > 1000 > 1001 123ספא > 1002 > 1003 =for latex-makedoc cut > > As you can see it's a text from a documentation in POD format. The > documentation is interleaved with a Perl code. > > I classify the test finding a false positive because Fedora rpminspect policy > excludes documentation files. Though rpminspect cannot split a documentation > from a code in a single file. > > I tried to disable the unicode check with a local rpminspect.yaml file, but > rpminspect insists on security checks not to be overrided be pacakge: > > $ rpminspect -c /usr/share/rpminspect/fedora.yaml -T unicode perl-Prima-1.70-1.fc40.src.rpm > rpminspect: *** ignoring 'unicode' section in /tmp/rpminspect.yaml; only allowed in system-wide configuration > > > My questions: > > Do you agree it's a false positve? > Can you sanction ammending Fedora rpminspct policy with: > > unicode: > ignore: > # 0x202D character used on purpose to demonstrate RLE in > # a documentation. > - Prima-*/Prima/Drawable/Glyphs.pm Cases like this are handled by adding suppression rules define in the security directory of the rpminspect-data package: https://github.com/rpminspect/rpminspect-data-fedora/tree/main/security You can find few rules for the unicode inspection there. Open a PR to add new entries. -- Tomas Hoger / Red Hat Product Security _______________________________________________ security mailing list -- security@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to security-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/security@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
