[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#908237: libnumbertext-tools: "spellout" is not in $PATH and looks for data in the wrong places

Package: libnumbertext-tools
Version: 1.0-2
Severity: normal

$ dpkg -L libnumbertext-tools
[...]
/usr/lib/libnumbertext/spellout

The tool is meant to be invoked by the end user, but is not
located in a directory in $PATH. I would expect it to go in
/usr/bin (and have a corresponding man page in
/usr/share/man/man1).

Also:

$ /usr/lib/libnumbertext/spellout -l en 101
spellout: missing language module

Using "strace", we see:

$ strace -e file /usr/lib/libnumbertext/spellout -l en 101
[...]
openat(AT_FDCWD, "en.sor", O_RDONLY)    = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "en.sor", O_RDONLY)    = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/numbertext/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/numbertext/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)

It looks first in "en.sor" in the current directory, which is a
security vulnerability (for instance when run in /tmp where some
attacker could have planted a malicious "en.sor" file).

And then in "/usr/share/numbertext" while "libnumbertext-data"
installs those files in "/usr/share/libnumbertext" instead.

A work around is to run:

$ /usr/lib/libnumbertext/spellout -l /usr/share/libnumbertext/en 101
one hundred one

Though it doesn't work for en-GB for which you'd need:

$ (cd /usr/share/libnumbertext && /usr/lib/libnumbertext/spellout -l en-GB 101)
one hundred and one

(but again looking in the current directory is a bad idea, so I'd expect that
one to stop working in a future version).

$ /usr/lib/libnumbertext/spellout -l /usr/share/libnumbertext/en-GB 101
one hundred one

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libnumbertext-tools depends on:
ii  libc6                2.27-5
ii  libgcc1              1:8.2.0-4
ii  libnumbertext-1.0-0  1.0-2
ii  libstdc++6           8.2.0-4

libnumbertext-tools recommends no packages.

libnumbertext-tools suggests no packages.

-- debconf-show failed
Reply to: