Bug#1067876: dpkg allows installation of malformed .deb packages resulting in corrupt .list file

2024-03-28 Thread Guillem Jover 
Hi!

On Thu, 2024-03-28 at 09:54:36 +, Grueninger, Tobias wrote:
> Package: dpkg
> Version: 1.20.12
> Severity: wishlist

> In our case we did install a package from a 3rd party which apparently
> uses a non-conforming .deb package building tool (unknown to us)
> resulting in a malformed data.tar.gz

> dpkg did allow this package to be completely installed but generated a
> malformed .list file.

Ah, not good, indeed.

> This as consequence did prevent later installation of any other package
> as dpkg's .list file database was broken resulting in the following
> error message
> 
>   Selecting previously unselected package .
>   (Reading database ...
>   dpkg: unrecoverable fatal error, aborting:
>files list file for package 'xxx-config--xxx' contains empty filename
> 
> Analysis of the .deb package showed
> 
>   dpkg -c xxx-config-xxx.deb 
> 1 drwxrwxr-x root/root 0 2023-09-07 08:36 ./
> 2 drwxrwxr-x root/root 0 2023-09-07 08:36 .//
> 3 drwxrwxr-x root/root 0 2023-09-07 08:36 .//ddd/
> 4 drwxrwxr-x root/root 0 2023-09-07 08:36 .//ddd/fff/
>   ...
> 
> * The offending malform is the second line containing './/' which is not
>   conform to standard, resulting in the following .list file
> 
>   cat -v -t -e ./lib/dpkg/info/xxx-config-xxx.list
> 1 /.$
> 2 /$
> 3 /ddd$
> 4 /ddd/fff$
>   ...
> 
> * the '/$' does break the .list file parsing when later installing other
>   .deb packages
> 
> Clearly the root cause is the use of 3rd party malformed .deb package
> tooling nevertheless my wish to improve would be following:
> 
> 1. As dpkg does parse all existing .list files during installation of
>a .deb package and understand if one of them is malformed it shall
>do this also for the newly generated .deb package .list file.
> 2. If the newly generated .deb package .list file does fail the check
>installation shall be aborted and rolled back.

Thank you for the detailed and very helpful report!

I've prepare a couple of changes to catch these conditions, will check
whether there are more things that should be verified, and add some
test cases for these. Will queue these file git main and probably mark
them as stable candidates.

Thanks,
Guillem

Bug#1067876: dpkg allows installation of malformed .deb packages resulting in corrupt .list file

2024-03-28 Thread Grueninger, Tobias 
Package: dpkg
Version: 1.20.12
Severity: wishlist

We had a similar issue as reported in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=47839 and researched what did 
cause the malformed .list package.

In our case we did install a package from a 3rd party which apparently uses a 
non-conforming .deb package building tool (unknown to us) resulting in a 
malformed data.tar.gz
dpkg did allow this package to be completely installed but generated a 
malformed .list file.
This as consequence did prevent later installation of any other package as 
dpkg's .list file database was broken resulting in the following error message

Selecting previously unselected package .
(Reading database ...
dpkg: unrecoverable fatal error, aborting:
 files list file for package 'xxx-config--xxx' contains empty filename

Analysis of the .deb package showed

dpkg -c xxx-config-xxx.deb 
1   drwxrwxr-x root/root 0 2023-09-07 08:36 ./
2   drwxrwxr-x root/root 0 2023-09-07 08:36 .//
3   drwxrwxr-x root/root 0 2023-09-07 08:36 .//ddd/
4   drwxrwxr-x root/root 0 2023-09-07 08:36 .//ddd/fff/
...

* The offending malform is the second line containing './/' which is not 
conform to standard, resulting in the following .list file

cat -v -t -e ./lib/dpkg/info/xxx-config-xxx.list
1   /.$
2   /$
3   /ddd$
4   /ddd/fff$
...

* the '/$' does break the .list file parsing when later installing other .deb 
packages

Clearly the root cause is the use of 3rd party malformed .deb package tooling 
nevertheless my wish to improve would be following:

1. As dpkg does parse all existing .list files during installation of a .deb 
package and understand if one of them is malformed it shall do this also for 
the newly generated .deb package .list file. 
2. If the newly generated .deb package .list file does fail the check 
installation shall be aborted and rolled back.

I am using
Distributor ID: Debian
Description:Debian GNU/Linux 11 (bullseye)
Release:11
Codename:   bullseye

With best regards,
Tobias