Package: libjson-c-dev Version: 0.11-4 Severity: serious Tags: patch User: debian...@lists.debian.org Usertags: piuparts
Hi, during a test with piuparts I noticed your package causes creation of unowned symlinks (via ldconfig) in /usr/lib/<triplet>: 0m31.3s DEBUG: Starting command: ['chroot', '/tmp/piupartss/tmpZYURWg', 'tmp/scripts/pre_remove_40_find_unowned_lib_links'] 0m33.9s DUMP: UNOWNED SYMLINK /usr/lib/x86_64-linux-gnu/libjson-c.so.2 -> libjson.so Policy 8.1 says: The run-time library package should include the symbolic link for the SONAME that ldconfig would create for the shared libraries. For example, the libgdbm3 package should include a symbolic link from /usr/lib/libgdbm.so.3 to libgdbm.so.3.0.0. This is needed so that the dynamic linker (for example ld.so or ld-linux.so.*) can find the library between the time that dpkg installs it and the time that ldconfig is run in the postinst script. So your package is a bit special here since it is a -dev package and affected by having the library in /lib, but the .so link in /usr/lib ldconfig is not triggered by libjson-c-dev installation/removal, so the symlink will show up/disappear once something else triggered ldconfig, leaving a potentially very long time window where /usr/lib/<triplet>/libjson-c.so.2 is dangling after libjson-c-dev removal Patch attached. It's probably ok to ask for a jessie-ignore tag unless you can show that this dangling link causes an actual problem. Andreas
>From 646a7884059bfe2c973b0bca371a9bbf7ac76d29 Mon Sep 17 00:00:00 2001 From: Andreas Beckmann <a...@debian.org> Date: Sat, 11 Jul 2015 14:02:31 +0200 Subject: [PATCH] libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink otherwise this would be an unowned link created/removed by ldconfig ldconfig is not triggered by libjson-c-dev installation/removal, so the symlink will show up/disappear once something else triggered ldconfig, leaving a potentially very long time window where /usr/lib/<triplet>/libjson-c.so.2 is dangling after libjson-c-dev removal --- debian/changelog | 10 +++++++++- debian/libjson-c-dev.install | 2 +- debian/libjson-c-dev.links | 3 +++ debian/rules | 7 +++---- 4 files changed, 16 insertions(+), 6 deletions(-) create mode 100755 debian/libjson-c-dev.links diff --git a/debian/changelog b/debian/changelog index 3970061..8e33404 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,14 @@ +json-c (0.11-5) UNRELEASED; urgency=medium + + * libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink that would + otherwise become a dangling link (initially created by ldconfig) after + package removal. (Closes: #xxxxxx) + + -- Andreas Beckmann <a...@debian.org> Sat, 11 Jul 2015 13:50:43 +0200 + json-c (0.11-4) unstable; urgency=low - * Add upstream patch to fix two security vulnerabilitiesa (Closes: #744008) + * Add upstream patch to fix two security vulnerabilities (Closes: #744008) + [CVE-2013-6371]: hash collision denial of service + [CVE-2013-6370]: buffer overflow if size_t is larger than int diff --git a/debian/libjson-c-dev.install b/debian/libjson-c-dev.install index 3d52de9..f7531b3 100644 --- a/debian/libjson-c-dev.install +++ b/debian/libjson-c-dev.install @@ -1,5 +1,5 @@ usr/lib/*/libjson-c.a -usr/lib/*/libjson-c.so +#usr/lib/*/libjson-c.so usr/include/json-c/* usr/lib/*/pkgconfig/json-c.pc json_object_iterator.h /usr/include/json-c/ diff --git a/debian/libjson-c-dev.links b/debian/libjson-c-dev.links new file mode 100755 index 0000000..c909a2f --- /dev/null +++ b/debian/libjson-c-dev.links @@ -0,0 +1,3 @@ +#!/usr/bin/dh-exec +/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 /usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 +/usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 /usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so diff --git a/debian/rules b/debian/rules index 34dde57..ce3233f 100755 --- a/debian/rules +++ b/debian/rules @@ -20,10 +20,9 @@ override_dh_auto_clean: override_dh_auto_install: dh_auto_install - # we install libjson-c into /lib, so fix the link - T=$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so); \ - rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so; \ - ln -s /lib/$(DEB_HOST_MULTIARCH)/$$(basename $$T) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so + # we install libjson-c into /lib, so fix the link in a way understood by ldconfig + rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so + # new links are created by libjson-c-dev.links # add thin symlink compatibility layer for json.so rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson.* -- 2.1.4