Hi, On Wed, Jun 01, 2022 at 03:53:32AM +0200, Guillem Jover wrote: > Hi! > > On Tue, 2022-05-31 at 22:10:29 +0200, Paul Gevers wrote: > > Source: dpkg > > Version: 1.20.10 > > Severity: important > > > Our proposed-updates queue [1] show regressions in the autopkgtest of > > lintian with the security version of dpkg. Looking at the logs [2], it > > appears to me that the file permissions of files in the test > > change. If I understand the security issue correctly, I don't think > > that was intended. Again, I may be reading the signs wrong, but I > > suspect you want to have a look. > > Hmm, right. We noticed this on the new security queue autopkgtest > infra, and I checked locally and it was reproducible, but for some > reason I disregarded it as not relevant. :/ > > Perhaps because it was not showing up on lintian's sid test suite (but > just checked now and the test seems to have been removed from there), > and I'm assuming I didn't test against the previous dpkg version. So, > it seems I botched the testing procedure somewhere. > > In any case, I think the attached patch fixes this, which during the > days I was preparing the fix this came to mind to take into account, > but I guess I forgot along the way. :/ I'll test this tomorrow against > the older lintian test suite. I guess I'll need to talk with the > security team avoid issuing a security fixup?
In fact I think this regression can be included as fix in the upcoming point releases if SRM agree, and so avoid an out of order dpkg update again to fix this rather edge-case regression (and instread batch it with other updates for the point releases). Did you found time already for fixes? The bullseye 11.4 point release has now been settled for the July 9th, with freezing the upload window the preceeding weekend. Thank you Guillem for your work! Regards, Salvatore
