Your message dated Wed, 12 Jul 2017 01:48:48 +0000 with message-id <[email protected]> and subject line Bug#608648: fixed in debconf 1.5.63 has caused the Debian Bug report #608648, regarding dpkg-reconfigure should chdir("/") before running maintainer scripts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 608648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608648 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dput Version: 0.9.2.35 Severity: normal There's a (admittedly very small) chance that the Python script in postinst can be intercepted by an unprivileged user on a multiuser system, if the postinst script happens to be executed from a directory where that user has write access. This is because when a script is specified with the -c argument of the Python interpreter is run, it will first search for modules in the working directory. For example, suppose I create the file compileall.py with the following contents in the current working directory: def main(): print "Hello" Then, invoking "sudo dpkg-reconfigure dput" from the same directory will give the output "Hello". Though perhaps this could be considered an user error, since dpkg is invoked from an "untrusted" directory. Anyhow, the following patch simply suggests to change to a directory that is known to be safe before invoking the script. --- a/debian/postinst 2008-09-22 18:01:17.000000000 +0000 +++ b/debian/postinst 2008-10-21 22:05:00.000000000 +0000 @@ -4,6 +4,7 @@ case "$1" in configure|abort-upgrade|abort-remove|abort-deconfigure) + cd $DIR python -c 'import sys, compileall ; exit_status = int(not compileall.main()); sys.exit(exit_status)' -q $DIR ;; *) -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages dput depends on: ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep ii python 2.5.2-2 An interactive high-level object-o dput recommends no packages. Versions of packages dput suggests: ii lintian 2.0.0 Debian package checker ii mini-dinstall 0.6.25 daemon for updating Debian package ii openssh-client 1:5.1p1-3 secure shell client, an rlogin/rsh ii rsync 3.0.4-3 fast remote file copy program (lik pn yaclc <none> (no description available) -- no debconf information
--- End Message ---
--- Begin Message ---Source: debconf Source-Version: 1.5.63 We believe that the bug you reported is fixed in the latest version of debconf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[email protected]> (supplier of updated debconf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 12 Jul 2017 02:23:47 +0100 Source: debconf Binary: debconf debconf-i18n debconf-doc debconf-utils Architecture: source Version: 1.5.63 Distribution: unstable Urgency: medium Maintainer: Debconf Developers <[email protected]> Changed-By: Colin Watson <[email protected]> Description: debconf - Debian configuration management system debconf-doc - debconf documentation debconf-i18n - full internationalization support for debconf debconf-utils - debconf utilities Closes: 501767 608648 Changes: debconf (1.5.63) unstable; urgency=medium . * "Change directory to / before executing maintainer scripts" from 1.5.62 was too intrusive due to changing Debconf::ConfModule, and broke some existing maintainer scripts that e.g. ran ucf with relative paths. Instead, just chdir to / before running maintainer scripts in dpkg-reconfigure and chdir back afterwards (closes: #608648). * In the Gnome frontend, hide the cancel button, and prompt for confirmation when the close button is pressed (closes: #501767). Original idea by Michael Vogt with an amendment by Joey Hess; some code by Martin Pitt. Checksums-Sha1: dde0dab78699ac0f99295bd72055f42a283e47da 1937 debconf_1.5.63.dsc 032a6bd1d7f3a2eeb544a766b02ebb944a761332 571980 debconf_1.5.63.tar.xz fd87d94d5e45ee37d7eacb94943d1de649cf1740 6269 debconf_1.5.63_source.buildinfo Checksums-Sha256: 532d624315a3a6c62f3cafe90f12e4a185309b40350643be4861b64afe736555 1937 debconf_1.5.63.dsc e50033ced377f22162de2200f5a8a7854ab45bc89e6e9a7ffbfae7dd70265092 571980 debconf_1.5.63.tar.xz 27bae14a98eda6777ef9d1531f9c39875aeedecd4be74a392853fb3ab535cb0a 6269 debconf_1.5.63_source.buildinfo Files: f514b8fea44e8584f033c108cce459e0 1937 admin optional debconf_1.5.63.dsc 6aa9a5301b51cdfc571e5bf1730c02f4 571980 admin optional debconf_1.5.63.tar.xz d0670966022567e7fa17d11d8d440fbb 6269 admin optional debconf_1.5.63_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlllejEACgkQOTWH2X2G UAsb/g/+M4hCRAjSiYLls5IjChsywT2QW/7l3ST9E4knV9UgHvgVwSPgrF51HImS RuLlQIzs7inN/gCIUh82M4tG0otpIibOdHd+ypnlpL3/Zw8ilsdxVlxHB1RvtUQC RpNqOf5dxWKnc7gXyAiu8WS7rpAndrg7LT/srht2kGlYQqB95shH/W3e/MIwIXQk 2Z/0gNdJcoCEGzVIJ2QAxCHuAyZHfPnt5ZSbhJbDEvcocQYfWLCBQB2sohjgZRWm t1P4lx4KK6JzcHdoZlE6f3+RmC6XJmfjgIF6QI7sNsFqZfqPmnAS5b4oUZi68E1J jJKUhILUva+dXi/XRWEjmneL57W8sCoIfmc6lDevyor5G3+sJOaX5n8N8WkLFToP uPJlLxiiqogYy4uR6shw18GijEA5T9uPQC2FyQGcJIncXTTEFkRqDTKT5Ux4ZfMv YhUM9HFDdhFP/M5TLv88d2Opcj4rR24cp5oQPUaKlT2zLHvHt3cMqbq1hsCb1BTW Y1OTVEcXKhUbXFOLokF4eeYBKeKc2D2JBYyeBJ9N0QzyAMGekiAD6WyhQIf5m0W8 LlVBBaXY9sobv+5Uq78PTXvc6pkqXXZAcCh9YYqt28/r+ulNJTU9EBoLslI5hxHi hSDXjPYRaUSyFCi15BSgqIU3etTfgPe7NJ9qE6BB8JQxp1mtPTg= =FCrv -----END PGP SIGNATURE-----
--- End Message ---
