Your message dated Mon, 18 Apr 2016 13:07:28 +0000
with message-id <[email protected]>
and subject line Bug#792177: fixed in json-c 0.12-1
has caused the Debian Bug report #792177,
regarding libjson0-dev: causes creation of unowned
/usr/lib/<triplet>/libjson-c.so.2 -> libjson-c.so symlink
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
792177: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792177
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libjson-c-dev
Version: 0.11-4
Severity: serious
Tags: patch
User: [email protected]
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package causes creation of
unowned symlinks (via ldconfig) in /usr/lib/<triplet>:
0m31.3s DEBUG: Starting command: ['chroot', '/tmp/piupartss/tmpZYURWg',
'tmp/scripts/pre_remove_40_find_unowned_lib_links']
0m33.9s DUMP:
UNOWNED SYMLINK /usr/lib/x86_64-linux-gnu/libjson-c.so.2 -> libjson.so
Policy 8.1 says:
The run-time library package should include the symbolic link for
the SONAME that ldconfig would create for the shared libraries. For
example, the libgdbm3 package should include a symbolic link from
/usr/lib/libgdbm.so.3 to libgdbm.so.3.0.0. This is needed so that
the dynamic linker (for example ld.so or ld-linux.so.*) can find the
library between the time that dpkg installs it and the time that
ldconfig is run in the postinst script.
So your package is a bit special here since it is a -dev package and
affected by having the library in /lib, but the .so link in /usr/lib
ldconfig is not triggered by libjson-c-dev installation/removal, so the
symlink will show up/disappear once something else triggered ldconfig,
leaving a potentially very long time window where
/usr/lib/<triplet>/libjson-c.so.2 is dangling after libjson-c-dev
removal
Patch attached.
It's probably ok to ask for a jessie-ignore tag unless you can show that
this dangling link causes an actual problem.
Andreas
>From 646a7884059bfe2c973b0bca371a9bbf7ac76d29 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann <[email protected]>
Date: Sat, 11 Jul 2015 14:02:31 +0200
Subject: [PATCH] libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink
otherwise this would be an unowned link created/removed by ldconfig
ldconfig is not triggered by libjson-c-dev installation/removal, so the
symlink will show up/disappear once something else triggered ldconfig,
leaving a potentially very long time window where
/usr/lib/<triplet>/libjson-c.so.2 is dangling after libjson-c-dev
removal
---
debian/changelog | 10 +++++++++-
debian/libjson-c-dev.install | 2 +-
debian/libjson-c-dev.links | 3 +++
debian/rules | 7 +++----
4 files changed, 16 insertions(+), 6 deletions(-)
create mode 100755 debian/libjson-c-dev.links
diff --git a/debian/changelog b/debian/changelog
index 3970061..8e33404 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,14 @@
+json-c (0.11-5) UNRELEASED; urgency=medium
+
+ * libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink that would
+ otherwise become a dangling link (initially created by ldconfig) after
+ package removal. (Closes: #xxxxxx)
+
+ -- Andreas Beckmann <[email protected]> Sat, 11 Jul 2015 13:50:43 +0200
+
json-c (0.11-4) unstable; urgency=low
- * Add upstream patch to fix two security vulnerabilitiesa (Closes: #744008)
+ * Add upstream patch to fix two security vulnerabilities (Closes: #744008)
+ [CVE-2013-6371]: hash collision denial of service
+ [CVE-2013-6370]: buffer overflow if size_t is larger than int
diff --git a/debian/libjson-c-dev.install b/debian/libjson-c-dev.install
index 3d52de9..f7531b3 100644
--- a/debian/libjson-c-dev.install
+++ b/debian/libjson-c-dev.install
@@ -1,5 +1,5 @@
usr/lib/*/libjson-c.a
-usr/lib/*/libjson-c.so
+#usr/lib/*/libjson-c.so
usr/include/json-c/*
usr/lib/*/pkgconfig/json-c.pc
json_object_iterator.h /usr/include/json-c/
diff --git a/debian/libjson-c-dev.links b/debian/libjson-c-dev.links
new file mode 100755
index 0000000..c909a2f
--- /dev/null
+++ b/debian/libjson-c-dev.links
@@ -0,0 +1,3 @@
+#!/usr/bin/dh-exec
+/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 /usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2
+/usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 /usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so
diff --git a/debian/rules b/debian/rules
index 34dde57..ce3233f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,10 +20,9 @@ override_dh_auto_clean:
override_dh_auto_install:
dh_auto_install
- # we install libjson-c into /lib, so fix the link
- T=$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so); \
- rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so; \
- ln -s /lib/$(DEB_HOST_MULTIARCH)/$$(basename $$T) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so
+ # we install libjson-c into /lib, so fix the link in a way understood by ldconfig
+ rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so
+ # new links are created by libjson-c-dev.links
# add thin symlink compatibility layer for json.so
rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson.*
--
2.1.4
--- End Message ---
--- Begin Message ---
Source: json-c
Source-Version: 0.12-1
We believe that the bug you reported is fixed in the latest version of
json-c, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <[email protected]> (supplier of updated json-c package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Apr 2014 10:53:37 +0200
Source: json-c
Binary: libjson-c3 libjson-c-dev libjson-c-doc
Architecture: source amd64 all
Version: 0.12-1
Distribution: experimental
Urgency: medium
Maintainer: fabien boucher <[email protected]>
Changed-By: Ondřej Surý <[email protected]>
Description:
libjson-c-dev - JSON manipulation library - development files
libjson-c-doc - JSON manipulation library - documentation files
libjson-c3 - JSON manipulation library - shared library
Closes: 792177
Changes:
json-c (0.12-1) experimental; urgency=medium
.
[ Andreas Beckmann ]
* libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink that would
otherwise become a dangling link (initially created by ldconfig) after
package removal. (Closes: #792177)
.
[ Ondřej Surý ]
* New upstream version 0.12
+ [CVE-2013-6371]: hash collision denial of service
+ [CVE-2013-6370]: buffer overflow if size_t is larger than int
* Remove all upstream-merged patches
* Add patch to fix variable set but not used
[-Werror=unused-but-set-variable]
* Update libjson-c2 symbols file
+ The new upstream release misses two symbols, upload to experimental
first if it poses any real problem or not.
* Migrate to automatic dbgsym
* Add autotools-dev dh addon
* Bump standards to 3.9.7 (no change)
* Bump SOVERSION as interfaces has been removed from 0.12 release
* Library transition from libjson-c2 to libjson-c3 as interfaces has
been removed
Checksums-Sha1:
1dfff36cd751bfcffe55d2f68e42f97022320103 2150 json-c_0.12-1.dsc
5580aad884076c219d41160cbd8bc12213d12c37 501419 json-c_0.12.orig.tar.gz
6a8453428e372ea44abf167ecb4ae8856b0864b4 5484 json-c_0.12-1.debian.tar.xz
22420e6c56f83e0d304f32d5401f18b6de6df5b9 36744 libjson-c-dev_0.12-1_amd64.deb
63c0ec28a1f507db55166a928f7278e185eb6393 59652 libjson-c-doc_0.12-1_all.deb
7b9640ecf5da71ee1904eeaf628bcb19ce8066f0 36438
libjson-c3-dbgsym_0.12-1_amd64.deb
8eb6cfbf75ef63278b68d3577e33002ab5a94adc 25436 libjson-c3_0.12-1_amd64.deb
Checksums-Sha256:
eaf577041cd99068c449674208dd194aba2dbab9194620b51440895735fd1a2a 2150
json-c_0.12-1.dsc
000c01b2b3f82dcb4261751eb71f1b084404fb7d6a282f06074d3c17078b9f3f 501419
json-c_0.12.orig.tar.gz
d87b670dd6b790df4afa81086597480644d557ce33d5adfad58b20f6c665a6f3 5484
json-c_0.12-1.debian.tar.xz
865e516ab12a7783111c3251eab57ec921e3ed38f6db2509c5d51253fff41758 36744
libjson-c-dev_0.12-1_amd64.deb
544da7779c4cb1cb596631d7a7810d6a1803b3ef6bb52012f55250bc17f4037f 59652
libjson-c-doc_0.12-1_all.deb
b996ac53311ee911b848dee80da71e03d81cc216cf173102b12fde3cc4b200ea 36438
libjson-c3-dbgsym_0.12-1_amd64.deb
3710b34fcd4338023d43005eaa781fe9c63d10fe7e17124d71095b7ca479a8dc 25436
libjson-c3_0.12-1_amd64.deb
Files:
8f920b4b9c59cf343250563e4c1e761e 2150 libs extra json-c_0.12-1.dsc
3ca4bbb881dfc4017e8021b5e0a8c491 501419 libs extra json-c_0.12.orig.tar.gz
9d31a44730182d87097a0b4de924372f 5484 libs extra json-c_0.12-1.debian.tar.xz
e902799df820bcce9a644d15b61bd948 36744 libdevel extra
libjson-c-dev_0.12-1_amd64.deb
aad12a15c0df3819d5f880fd672796d8 59652 doc extra libjson-c-doc_0.12-1_all.deb
57576d29bbfb86c4b7e157eaf87892df 36438 debug extra
libjson-c3-dbgsym_0.12-1_amd64.deb
75a9b1e40277e6a63ecefdad38148377 25436 libs extra libjson-c3_0.12-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJXEKcvXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHBHEQAIWGLwH8jDc2aQP+AHuRNsBC
oLGLFap0XScjLxBy49FP1G9W7tesRNVrx4gXG0vHwus9JbNz69YlLKR2D8TONr1E
+whQBhNwqnMXwVNM878TXoVHGWxsvpPvY5DJQtPgK2nn7KJ+dWuAuvD7XLOnIJhj
VPNEnLoGiXt+UprM5ChLsO87JWpRwi2qzdrmxKPel+02nPLany1/v5mDx8xUWCWn
/ecNs3/Q+9hMgpsFc0Ao1RjEVyJAqoujx6n3Mrupu5+BBHmOu3FhhK3rKtZN+6tZ
46uQ0WVcfuJIImZGiIQXaD8TL05ID6UXdU/T80ieVVk2yvdfEDc8tfgAgWfT63cF
P8SJJVot+IOPmJFxn7m43WY9WYlXT8l3wNHJh3pE4ntnHwO/psJG4sGqHovzqa3H
pW93QV3QmQif5yBdMiXRIQbl0dESzXaAPipglEWpz9m+5JXe/J/90Bkug/dDX5YY
WZlFpr+I0zE8qpw2bZVOpKdXAm3K5l8jw4y0KmtG4JNMmJaVl2dL0U46s/NUIYid
ycvB3oOlYtvYzg1tNwXk7NHorqRrIHHPifRPg9VCcujodz5J7zQOEjYJwjovmqds
DmSqBpPT05jw3NpagEMYXC6e9PjX9Lpec8wBAm409QkhgeSyYr8VgnwGa4s1v6Pq
7vrVH4/rCT5eEKBKWmfg
=SD9N
-----END PGP SIGNATURE-----
--- End Message ---
