Bug#1001807: Acknowledgement (sbuild-createchroot fails if DEBIAN-MIRROR-URI contains @)

[Johannes Schauer Marin Rodrigues]

Hi Tilman,

Quoting Tilman Keskinöz (2021-12-16 19:11:33)
>>Create a chroot from a debian-mirror that uses username password 
>>authentification.
>>
>>This works in stretch, but is broken in buster and bullseye.
>>
>>Reproducer:
>>
>>sbuild-createchroot --make-sbuild-tarball=foo.tar bullseye 
>>/tmp/bullseye-sbuild-chroot
>>http://f...@ftp.at.debian.org/debian
>>
>>Output fails:
>>I: Base system installed successfully.
>>E: failed running setup script: Global symbol "@ftp" requires explicit 
>>package name (did you forget to declare
>>"my @ftp"?) at (eval 22) line 58.
>>
> So here is my quick an dirty patch.

that patch is indeed just a workaround but doesn't solve the underlying
problem. Effectively, you could put any valid Perl code into the URL and use
that to execute arbitrary code. This should fix the problem:

https://salsa.debian.org/debian/sbuild/-/commit/43b256e52166cfb27f972af34695b3617dfdb6ac

Feel free to verify that this works for you.

Thanks!

cheers, josch

signature.asc
Description: signature

Bug#1001807: Acknowledgement (sbuild-createchroot fails if DEBIAN-MIRROR-URI contains @)

[Tilman Keskinöz]

So here is my quick an dirty patch.
--- sbuild-createchroot.orig2021-12-16 18:59:41.498393428 +0100
+++ sbuild-createchroot 2021-12-16 19:07:30.320705427 +0100
@@ -453,6 +453,7 @@
$sources_list .= "$repo\n";
 }
 
+$sources_list =~ s/\@/\\\@/;
 my $passwd_sbuild = `getent passwd sbuild`;
 my $group_sbuild = `getent group sbuild`;
 


OpenPGP_0x6CBEB6EB6774D2A3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature