Bug#837075: debootstrap: does not validate `suite` parameter against Release file
On Thu, 2016-09-08 at 16:09 +0200, Ansgar Burchardt wrote:
>
> debootstrap should validate that ${suite} is listed in the Release
> file in either the Suite: or Codename: fields. Additionally storing
> the codename in a variable would also be useful for suite-specific
> workarounds, such as [1].
>
> [1]
>
I've attached a patch that implements this.
AnsgarFrom 81ebc7df61e8a80915126351e01e016f6a57a52a Mon Sep 17 00:00:00 2001
From: Ansgar Burchardt
Date: Thu, 8 Sep 2016 17:28:19 +0200
Subject: [PATCH 1/6] Validate SUITE against Release's Suite or Codename
Bug: https://bugs.debian.org/837075
---
debian/changelog | 7 +++
functions| 14 ++
2 files changed, 21 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9a6412b..96a1dc9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.83) UNRELEASED; urgency=medium
+
+ * functions: Validate that the requested suite is listed in the
+Release file's Suite or Codename field. (Closes: #837075)
+
+ -- Ansgar Burchardt Thu, 08 Sep 2016 17:26:53 +0200
+
debootstrap (1.0.82) unstable; urgency=medium
[ Alex Bennée ]
diff --git a/functions b/functions
index 67701ee..336f220 100644
--- a/functions
+++ b/functions
@@ -512,6 +512,18 @@ extract_release_components () {
fi
}
+CODENAME=""
+validate_suite () {
+ local reldest="$1"
+
+ CODENAME=$(sed -n "s/^Codename: *//p" "$reldest")
+ local suite=$(sed -n "s/^Suite: *//p" "$reldest")
+
+ if [ "$SUITE" != "$suite" ] && [ "$SUITE" != "$CODENAME" ]; then
+ error 1 WRONGSUITE "Asked to install suite %s, but got %s (codename: %s) from mirror" "$SUITE" "$suite" "$CODENAME"
+ fi
+}
+
download_release_sig () {
local m1="$1"
local reldest="$2"
@@ -547,6 +559,8 @@ download_release_indices () {
download_release_sig "$m1" "$reldest" "$relsigdest"
+ validate_suite "$reldest"
+
extract_release_components $reldest
local totalpkgs=0
--
2.9.3
Bug#837075: debootstrap: does not validate `suite` parameter against Release file
Package: debootstrap
Version: 1.0.81
Severity: normal
Running
debootstrap ${suite} ${suite} ${mirror}
will install whatever the mirror serves as dists/${suite}, even when that
is not the requested suite. This can easily be checked with a few Redirect
statements in a .htaccess file:
Redirect /debian-wrong/pool http://ftp.de.debian.org/debian/pool
Redirect /debian-wrong/dists/stable
http://ftp.de.debian.org/debian/dists/unstable
Then
debootstrap stable stable http://[...]/debian-wrong
will install unstable instead of stable.
debootstrap should validate that ${suite} is listed in the Release
file in either the Suite: or Codename: fields. Additionally storing
the codename in a variable would also be useful for suite-specific
workarounds, such as [1].
Ansgar
[1]
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'testing'), (500, 'stable'), (300, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages debootstrap depends on:
ii wget 1.18-2+b1
Versions of packages debootstrap recommends:
ii debian-archive-keyring 2014.3
ii gnupg 2.1.14-5
debootstrap suggests no packages.
-- no debconf information
