Bug#1012195: dpkg: lintian autopkgtest *may* have spotted a regression in security update of dpkg

[Guillem Jover]

On Sat, 2022-06-25 at 22:09:12 +0200, Salvatore Bonaccorso wrote:
> In fact I think this regression can be included as fix in the upcoming
> point releases if SRM agree, and so avoid an out of order dpkg update
> again to fix this rather edge-case regression (and instread batch it
> with other updates for the point releases).

Yes, was planning to do that after uploading this fix to unstable. But
got sick and was not able to do much.

> Did you found time already for fixes? The bullseye 11.4 point release
> has now been settled for the July 9th, with freezing the upload window
> the preceeding weekend.

I'll try to finish this up for today, and send a proposal for a stable
update once this hits unstable.

Thanks,
Guillem

Bug#1012195: dpkg: lintian autopkgtest *may* have spotted a regression in security update of dpkg

[Salvatore Bonaccorso]

Hi,

On Wed, Jun 01, 2022 at 03:53:32AM +0200, Guillem Jover wrote:
> Hi!
> 
> On Tue, 2022-05-31 at 22:10:29 +0200, Paul Gevers wrote:
> > Source: dpkg
> > Version: 1.20.10
> > Severity: important
> 
> > Our proposed-updates queue [1] show regressions in the autopkgtest of
> > lintian with the security version of dpkg. Looking at the logs [2], it
> > appears to me that the file permissions of files in the test
> > change. If I understand the security issue correctly, I don't think
> > that was intended. Again, I may be reading the signs wrong, but I
> > suspect you want to have a look.
> 
> Hmm, right. We noticed this on the new security queue autopkgtest
> infra, and I checked locally and it was reproducible, but for some
> reason I disregarded it as not relevant. :/
> 
> Perhaps because it was not showing up on lintian's sid test suite (but
> just checked now and the test seems to have been removed from there),
> and I'm assuming I didn't test against the previous dpkg version. So,
> it seems I botched the testing procedure somewhere.
> 
> In any case, I think the attached patch fixes this, which during the
> days I was preparing the fix this came to mind to take into account,
> but I guess I forgot along the way. :/ I'll test this tomorrow against
> the older lintian test suite. I guess I'll need to talk with the
> security team avoid issuing a security fixup?

In fact I think this regression can be included as fix in the upcoming
point releases if SRM agree, and so avoid an out of order dpkg update
again to fix this rather edge-case regression (and instread batch it
with other updates for the point releases).

Did you found time already for fixes? The bullseye 11.4 point release
has now been settled for the July 9th, with freezing the upload window
the preceeding weekend.

Thank you Guillem for your work!

Regards,
Salvatore

Bug#1012195: dpkg: lintian autopkgtest *may* have spotted a regression in security update of dpkg

[Guillem Jover]

Hi!

On Tue, 2022-05-31 at 22:10:29 +0200, Paul Gevers wrote:
> Source: dpkg
> Version: 1.20.10
> Severity: important

> Our proposed-updates queue [1] show regressions in the autopkgtest of
> lintian with the security version of dpkg. Looking at the logs [2], it
> appears to me that the file permissions of files in the test
> change. If I understand the security issue correctly, I don't think
> that was intended. Again, I may be reading the signs wrong, but I
> suspect you want to have a look.

Hmm, right. We noticed this on the new security queue autopkgtest
infra, and I checked locally and it was reproducible, but for some
reason I disregarded it as not relevant. :/

Perhaps because it was not showing up on lintian's sid test suite (but
just checked now and the test seems to have been removed from there),
and I'm assuming I didn't test against the previous dpkg version. So,
it seems I botched the testing procedure somewhere.

In any case, I think the attached patch fixes this, which during the
days I was preparing the fix this came to mind to take into account,
but I guess I forgot along the way. :/ I'll test this tomorrow against
the older lintian test suite. I guess I'll need to talk with the
security team avoid issuing a security fixup?

Thanks,
Guillem
diff --git i/scripts/Dpkg/Source/Package/V2.pm w/scripts/Dpkg/Source/Package/V2.pm
index 1167625d7..68a967168 100644
--- i/scripts/Dpkg/Source/Package/V2.pm
+++ w/scripts/Dpkg/Source/Package/V2.pm
@@ -218,7 +218,7 @@ sub do_extract {
 # Extract main tarball
 info(g_('unpacking %s'), $tarfile);
 my $tar = Dpkg::Source::Archive->new(filename => "$dscdir$tarfile");
-$tar->extract($newdirectory, no_fixperms => 1,
+$tar->extract($newdirectory,
   options => [ '--anchored', '--no-wildcards-match-slash',
'--exclude', '*/.pc', '--exclude', '.pc' ]);
 # The .pc exclusion is only needed for 3.0 (quilt) and to avoid
@@ -239,7 +239,7 @@ sub do_extract {
 erasedir("$newdirectory/$subdir");
 }
 $tar = Dpkg::Source::Archive->new(filename => "$dscdir$file");
-$tar->extract("$newdirectory/$subdir", no_fixperms => 1);
+$tar->extract("$newdirectory/$subdir");
 }
 
 # Stop here if debianization is not wanted

Bug#1012195: dpkg: lintian autopkgtest *may* have spotted a regression in security update of dpkg

[Paul Gevers]

Source: dpkg
Version: 1.20.10
Severity: important

Dear Guillem,

Our proposed-updates queue [1] show regressions in the autopkgtest of
lintian with the security version of dpkg. Looking at the logs [2], it
appears to me that the file permissions of files in the test
change. If I understand the security issue correctly, I don't think
that was intended. Again, I may be reading the signs wrong, but I
suspect you want to have a look.

Paul

# Tags do not match
# 
# --- 
../../autopkgtest_tmp/build-and-evaluate-test-packages/eval/checks/files/permissions/legacy-scripts/tags.specified.calibrated
# +++ 
../../autopkgtest_tmp/build-and-evaluate-test-packages/eval/checks/files/permissions/legacy-scripts/tags.actual.parsed
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  777 
tkfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  777 
gccbug.dpatch
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  777 
envfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
xsession-test
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
wishfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
suidperlfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
sh-broken
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
rubyfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
phpfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
phpenvfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
perlfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
perl-bizarre-3
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
perl-bizarre-2
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
perl-bizarre-1
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
make-foo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
lefty-foo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
jruby-broken
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
init-skeleton
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
init-no-lsb
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
init-lsb-other
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
init-lsb-broken
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
guile-bizarre
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
fish-foo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 
csh-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  755 
tkfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  755 
gccbug.dpatch
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  755 
envfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
xsession-test
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
wishfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
suidperlfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
sh-broken
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
rubyfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
phpfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
phpenvfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
perlfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
perl-bizarre-3
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
perl-bizarre-2
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
perl-bizarre-1
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
make-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
lefty-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
jruby-broken
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
init-skeleton
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
init-no-lsb
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
init-lsb-other
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
init-lsb-broken
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
guile-bizarre
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
fish-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 
csh-foo
# 


[1] https://release.debian.org/propo