Package: dpkg-dev Version: 1.15.8.11 Severity: normal During my work on the Debian derivatives census (generating patches for all derivatives), I came across this package:
http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc I made a copy of it here in case it disappears: http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc This is a format 1.0 native package where the debian/ directory is an absolute symlink to outside the package: lrwxrwxrwx 1 pabs Debian 49 Oct 12 16:27 debian -> /root/Desktop/exe/exe/installs/debian/boss/debian When I try to unpack this package, I get this error: dpkg-source: warning: extracting unsigned source package (/tmp/derivs-cmp-srcpkg-BOSSlinux-ErZzbJ/exe_1.04.1.3602-boss1.dsc) dpkg-source: info: extracting exe in /tmp/derivs-cmp-srcpkg-BOSSlinux-ErZzbJ/extracted dpkg-source: info: unpacking exe_1.04.1.3602-boss1.tar.gz dpkg-source: error: cannot stat /tmp/derivs-cmp-srcpkg-BOSSlinux-ErZzbJ/extracted/debian/rules: Permission denied The resulting extraction directory still exists despite this failure. On a different system where /root was world readable, the error was replaced with a warning: dpkg-source: warning: extracting unsigned source package (exe_1.04.1.3602-boss1.dsc) dpkg-source: info: extracting exe in exe-1.04.1.3602 dpkg-source: info: unpacking exe_1.04.1.3602-boss1.tar.gz dpkg-source: warning: exe-1.04.1.3602/debian/rules does not exist I see several problems with this... When there is an error I would expect dpkg-source to clean up after itself, probably a --no-cleanup option needs adding though for people wanting to debug why the extraction failed. I don't understand why dpkg-source needs to look at debian/rules at all. And more fundamentally, dpkg-dev should never extract or follow symlinks that point outside the source package. That includes all absolute ones and any relative ones with too many .. in their link target. Even if dpkg-source doesn't write to them during unpack, they could have some other impact on the user's system if they access them thinking that since Debian source packages are self-contained they should be safe. This issue seems to be present in both squeeze and wheezy. I did not test if the issue is present in lenny. -- bye, pabs http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
