Your message dated Thu, 18 May 2017 03:18:40 +0000 with message-id <e1dbbxy-00071g...@fasolo.debian.org> and subject line Bug#860979: fixed in dpkg 1.18.24 has caused the Debian Bug report #860979, regarding dpkg-dev: dpkg-shlibdeps regression due to the /usr-merge changes to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860979: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860979 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: dpkg-dev Version: 1.18.17 Severity: serious Tags: patch Hi! Commit a927295c93fb7a17742441aa863aaffcf4a351b5 introduced a severe regression related to ignoring the order of the found shared library pathnames, very carefully curated over time in the find_library() function. Which I already mentioned as my biggest gut-feeling concern at the time (for which I should have known better and push back instead of succumbing to the unpleasant pressure at the time…). This was reported on IRC by Helmut Grohne as being detected on one of the marvelous rebootstrap runs. An easy reproducer is to install on a clean amd64 system libc6-amd64:i386, and build anything that depends on libc6. The binary generated might contain a wrong and unsatisifiable dependency, because it might emit libc6-amd64 (w/o the arch-qualifier, which does not exist on amd64) instead of just libc6. I've prepared the most minimal patch I could come up with up to now, attached, which fixes that specific problem. But I've not given it much further testing yet. So I'm a bit hesitant to push this into 1.18.24, because it has the potential to break havoc. :( Of course there's always the other option of reverting the /usr-merge change altogether… Thanks, GuillemFrom aa1ad5755490cb90a309f2d3daf6539d0b4762cb Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Sun, 23 Apr 2017 04:51:58 +0200 Subject: [PATCH] dpkg-shlibdeps: Preserve the order when scanning symbols/shlibs files Regression introduced in commit a927295c93fb7a17742441aa863aaffcf4a351b5. The code was getting all the possible shared library pathnames for the wanted SONAME, but was not preserving the order carefully constructed in find_library(), so we were overwriting symbols/shlibs information when parsing multiple entries, and selecting the symbols/shlibs files randomly based on the perl hash order. This causes regressions when multiple packages provides the same SONAME on different directories. An example would be libc6:amd64 and libc6-amd64:i386. Closes: # Reported-by: Helmut Grohne <hel...@subdivi.de> --- scripts/dpkg-shlibdeps.pl | 74 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/scripts/dpkg-shlibdeps.pl b/scripts/dpkg-shlibdeps.pl index 0978f33b9..b314202f1 100755 --- a/scripts/dpkg-shlibdeps.pl +++ b/scripts/dpkg-shlibdeps.pl @@ -191,6 +191,7 @@ foreach my $file (keys %exec) { # Load symbols files for all needed libraries (identified by SONAME) my %libfiles; my %altlibfiles; + my %soname_libs; my %soname_notfound; my %alt_soname; foreach my $soname (@sonames) { @@ -209,6 +210,11 @@ foreach my $file (keys %exec) { } next; } + + # Track shared libraries for a given SONAME. + push @{$soname_libs{$soname}}, @libs; + + # Track shared libraries for package mapping. foreach my $lib (@libs) { $libfiles{$lib} = $soname; my $reallib = realpath($lib); @@ -222,9 +228,11 @@ foreach my $file (keys %exec) { my $symfile = Dpkg::Shlibs::SymbolFile->new(); my $dumplibs_wo_symfile = Dpkg::Shlibs::Objdump->new(); my @soname_wo_symfile; - foreach my $lib (keys %libfiles) { - my $soname = $libfiles{$lib}; + SONAME: foreach my $soname (@sonames) { + # Select the first good entry from the ordered list that we got from + # find_library(), and skip to the next SONAME. + foreach my $lib (@{$soname_libs{$soname}}) { if (none { $_ ne '' } @{$file2pkg->{$lib}}) { # The path of the library as calculated is not the # official path of a packaged file, try to fallback on @@ -244,6 +252,7 @@ foreach my $file (keys %exec) { } # Load symbols/shlibs files from packages providing libraries + my $missing_wanted_shlibs_info = 0; foreach my $pkg (@{$file2pkg->{$lib}}) { my $symfile_path; my $haslocaldep = 0; @@ -273,6 +282,9 @@ foreach my $file (keys %exec) { my $minver = $symfile->get_smallest_version($soname) || ''; update_dependency_version($dep, $minver); debug(2, " Minimal version of ($dep) initialized with ($minver)"); + + # Found a symbols file for the SONAME. + next SONAME; } else { # No symbol file found, fall back to standard shlibs debug(1, "Using shlibs+objdump for $soname (file $lib)"); @@ -284,31 +296,47 @@ foreach my $file (keys %exec) { $alt_soname{$id} = $soname; } push @soname_wo_symfile, $soname; + # Only try to generate a dependency for libraries with a SONAME - if ($libobj->is_public_library() and not - add_shlibs_dep($soname, $pkg, $lib)) { - # This failure is fairly new, try to be kind by - # ignoring as many cases that can be safely ignored - my $ignore = 0; - # 1/ when the lib and the binary are in the same - # package - my $root_file = guess_pkg_root_dir($file); - my $root_lib = guess_pkg_root_dir($lib); - $ignore++ if defined $root_file and defined $root_lib - and check_files_are_the_same($root_file, $root_lib); - # 2/ when the lib is not versioned and can't be - # handled by shlibs - $ignore++ unless scalar(split_soname($soname)); - # 3/ when we have been asked to do so - $ignore++ if $ignore_missing_info; - error(g_('no dependency information found for %s ' . - "(used by %s)\n" . - 'Hint: check if the library actually comes ' . - 'from a package.'), $lib, $file) - unless $ignore; + if (not $libobj->is_public_library()) { + debug(1, "Skipping shlibs+objdump info for private library $lib"); + next; } + + # If we found a shlibs file for the SONAME, skip to the next. + next SONAME if add_shlibs_dep($soname, $pkg, $lib); + + $missing_wanted_shlibs_info = 1; + + debug(1, "No shlibs+objdump info available, trying next package for $lib"); } } + + next if not $missing_wanted_shlibs_info; + + # We will only reach this point, if we have found no symbols nor + # shlibs files for the given SONAME. + + # This failure is fairly new, try to be kind by + # ignoring as many cases that can be safely ignored + my $ignore = 0; + # 1/ when the lib and the binary are in the same + # package + my $root_file = guess_pkg_root_dir($file); + my $root_lib = guess_pkg_root_dir($lib); + $ignore++ if defined $root_file and defined $root_lib + and check_files_are_the_same($root_file, $root_lib); + # 2/ when the lib is not versioned and can't be + # handled by shlibs + $ignore++ unless scalar(split_soname($soname)); + # 3/ when we have been asked to do so + $ignore++ if $ignore_missing_info; + error(g_('no dependency information found for %s ' . + "(used by %s)\n" . + 'Hint: check if the library actually comes ' . + 'from a package.'), $lib, $file) + unless $ignore; + } } # Scan all undefined symbols of the binary and resolve to a -- 2.12.2.816.g2cccc81164
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.18.24 We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 860...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <guil...@debian.org> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 17 May 2017 13:16:25 +0200 Source: dpkg Binary: dpkg libdpkg-dev dpkg-dev libdpkg-perl dselect Architecture: source Version: 1.18.24 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers <debian-d...@lists.debian.org> Changed-By: Guillem Jover <guil...@debian.org> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end libdpkg-dev - Debian package management static library libdpkg-perl - Dpkg perl modules Closes: 813454 824742 837051 850834 857449 858004 860238 860979 861217 Changes: dpkg (1.18.24) unstable; urgency=medium . [ Guillem Jover ] * Add missing symbols to the libdpkg map file. * Fix dpkg-shlibdeps to preserve the Dpkg::Shlibs::find_library() order when scanning symbols/shlibs files. This was causing generation of bogus dependencies when multiple packages provide the same SONAME on different directories. Regression introduced in dpkg 1.18.17. Closes: #860979 * Make dpkg-maintscript-helper print all unowned files from a directory when printing the error message, to ease debugging those problems after the fact. Closes: #813454, #860238 Based on a patch by Bastien ROUCARIÈS <roucaries.bast...@gmail.com>. * Add duplicate prevention code for debian/files to dpkg-genbuildinfo, so that successive runs with different versions and equivalent build types do not generate multiple .buildinfo entries to be uploaded, which is similar to what dpkg-gencontrol is doing for .deb files. * Fix conffile takeover handling during unpack in dpkg on --root or on diversions. Closes: #837051, #858004 * Fix digest inference for shared conffiles, causing bogus takeover unpack errors. Regression introduced in dpkg 1.16.9. Closes: #861217 * Improve tar entry metadata parsing in dpkg: - Do not parse device numbers for non block nor char tar entry objects. - Make the existing octal parser more robust, by checking for the expected format of leading zeros or spaces, followed by any ASCII octal characters (0-7), followed by zero or more space or NULs. - Add support for base-256 encoded numeric fields, to support large values, for UID/GID, device number, size and even signed timestamps. This is necessary not only to be able to store larger values, but to cover packages that can already be generated by dpkg-deb, given that it uses the system GNU tar when building. Closes: #850834 * Architecture support: - Add support for ARM64 ILP32. Closes: #824742 Thanks to Wookey <woo...@wookware.org>. * Perl modules: - Remove obsolete hardening-wrapper support from Dpkg::Vendor::Ubuntu. Thanks to Adam Conrad <adcon...@0c3.net>. - Bump $Dpkg::Deps::VERSION to match the one documented in CHANGES. - Ignore by default debian/files.new and debian/files for all source formats in Dpkg::Source::Package, because these are generated files with well known pathnames, part of the public interface, and with dpkg-genbuildinfo always injecting .buildinfo entries into debian/files, this meant this could disrupt previous workflows based on not cleaning the source tree. * Documentation: - Many spelling fixes. Thanks to Josh Soref <jso...@gmail.com>. - Do not include mispellings in changelogs, as that makes detecting them more difficult. * Build system: - Use libexec variable for auxiliary internal programs, and set it to /usr/lib on Debian and derivatives. - Check that the detected tar is a GNU tar. - Check that the detected patch is a GNU patch, so that we get a directory traversal resistant patch implementation. This fixes CVE-2017-8283 by delegating those checks to patch(1), so that we trap blank-indented diff hunks trying to escape from the source tree. * Test suite: - Add a test case for blank-indented patches which were the cause for CVE-2017-8283. - Handle files with non-zero sizes in c-tarextract libdpkg test code. . [ Updated programs translations ] * Catalan (Guillem Jover). * Czech (Miroslav Kure). . [ Updated dselect translations ] * Catalan (Guillem Jover). . [ Updated scripts translations ] * Catalan (Guillem Jover). . [ Updated man pages translations ] * German (Helge Kreutzmann, David Rabel). Closes: #857449 * Spanish (Javier Fernández-Sanguino). Checksums-Sha1: 50bb679a90095d6466345db327426649f9f0ec1f 2032 dpkg_1.18.24.dsc 155fe5c91728bdf82756674d5aa85e4ff2e3eac6 4530444 dpkg_1.18.24.tar.xz f6485a48925083c714615accf84668e58e3b8aa0 7371 dpkg_1.18.24_amd64.buildinfo Checksums-Sha256: 9f1560a0d237ec570f98f8aacfd1cbdd372371cce40e4c7ee4a31315b0c40823 2032 dpkg_1.18.24.dsc d853081d3e06bfd46a227056e591f094e42e78fa8a5793b0093bad30b710d7b4 4530444 dpkg_1.18.24.tar.xz d7e7756b4ddf7db4f9df0612c019c795cd9715e0fe84783cf2763baa559bb362 7371 dpkg_1.18.24_amd64.buildinfo Files: fcc066dbc043e32b1238567052ff437d 2032 admin required dpkg_1.18.24.dsc 02e8af8faf1e689228da806c3e8c6882 4530444 admin required dpkg_1.18.24.tar.xz 6c5714c7ea0701f57165e8b888e818cd 7371 admin required dpkg_1.18.24_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAlkdC5QACgkQuXK/PqSu V6OmURAA5Htm0CZ3KiH1rfBX8l7E+Zzp10vHhryH+V29uKjnTebxFxqO295x2+ku Os4DH1ShnO77ALU04d5HXfd9zLisxzycXl4nEkio3zsgX87v2jlxpM/HQJswl3qh FH1rs8fxGbxLN8deu8poJobFLFSsEtD5QQOL/iDNRhq8aWUjtiGZ5jpy8t0v9vi+ I7eHFtP6GJL+5l8kxH6GPBmxSiP4RPeVADfVFnhnw+DPbtuJuC3oBk/pDRDVi7dZ 94qQLqhQZ/3sbBORI72TM81/FeDiTsLfl9zXGF36BUbR20O8gG/+nE5zjevIAYBo 9GshCY1ZKX+Uk3uOULTHQaH2UJ4mZVjoyByHmwPkAlj5ZNntL8iYG899Sa2F+OTT iRgPyD+BU9pI0iXUrd8bKiZgtKG7Byk/jj8d2Uftgkl9IQ0Q1t4OdTbLEuM1AESf IjF6MCf9aWo38GBf7h1ubAGgo5NFYeftjMjFBjQu5NUDzQeYW4zUc7Oljw9qmLYF qVSAfDOxwPcEjbC2gxKGqGyD3o7xA418kA+A0TiRFe/LRJ7bh3lGEDYqXDtq8Kkh dPkXYPA4MToRRGLxvk3gsgZTdu3UTnJDFEF3vWG4TXhHVhiVP8mMf52he00Xqmot KtuzHZ98yBd/LlXdeXP9AS01bXfjuSopsLZwrRg6kCQ0IpM/dtE= =Abdj -----END PGP SIGNATURE-----
--- End Message ---
