libjson-c.so symlink

Andreas Beckmann Sun, 12 Jul 2015 05:46:14 -0700

Package: libjson-c-dev
Version: 0.11-4
Severity: serious
Tags: patch
User: debian...@lists.debian.org
Usertags: piuparts


Hi,

during a test with piuparts I noticed your package causes creation of
unowned symlinks (via ldconfig) in /usr/lib/<triplet>:

0m31.3s DEBUG: Starting command: ['chroot', '/tmp/piupartss/tmpZYURWg', 
'tmp/scripts/pre_remove_40_find_unowned_lib_links']
0m33.9s DUMP: 
  UNOWNED SYMLINK /usr/lib/x86_64-linux-gnu/libjson-c.so.2 -> libjson.so

Policy 8.1 says:

    The run-time library package should include the symbolic link for
    the SONAME that ldconfig would create for the shared libraries. For
    example, the libgdbm3 package should include a symbolic link from
    /usr/lib/libgdbm.so.3 to libgdbm.so.3.0.0. This is needed so that
    the dynamic linker (for example ld.so or ld-linux.so.*) can find the
    library between the time that dpkg installs it and the time that
    ldconfig is run in the postinst script.

So your package is a bit special here since it is a -dev package and
affected by having the library in /lib, but the .so link in /usr/lib

ldconfig is not triggered by libjson-c-dev installation/removal, so the
symlink will show up/disappear once something else triggered ldconfig,
leaving a potentially very long time window where
/usr/lib/<triplet>/libjson-c.so.2 is dangling after libjson-c-dev
removal

Patch attached.

It's probably ok to ask for a jessie-ignore tag unless you can show that
this dangling link causes an actual problem.


Andreas

>From 646a7884059bfe2c973b0bca371a9bbf7ac76d29 Mon Sep 17 00:00:00 2001
From: Andreas Beckmann <a...@debian.org>
Date: Sat, 11 Jul 2015 14:02:31 +0200
Subject: [PATCH] libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink

otherwise this would be an unowned link created/removed by ldconfig

ldconfig is not triggered by libjson-c-dev installation/removal, so the
symlink will show up/disappear once something else triggered ldconfig,
leaving a potentially very long time window where
/usr/lib/<triplet>/libjson-c.so.2 is dangling after libjson-c-dev
removal
---
 debian/changelog             | 10 +++++++++-
 debian/libjson-c-dev.install |  2 +-
 debian/libjson-c-dev.links   |  3 +++
 debian/rules                 |  7 +++----
 4 files changed, 16 insertions(+), 6 deletions(-)
 create mode 100755 debian/libjson-c-dev.links

diff --git a/debian/changelog b/debian/changelog
index 3970061..8e33404 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,14 @@
+json-c (0.11-5) UNRELEASED; urgency=medium
+
+  * libjson-c-dev: Ship /usr/lib/<triplet>/libjson-c.so.2 symlink that would
+    otherwise become a dangling link (initially created by ldconfig) after
+    package removal.  (Closes: #xxxxxx)
+
+ -- Andreas Beckmann <a...@debian.org>  Sat, 11 Jul 2015 13:50:43 +0200
+
 json-c (0.11-4) unstable; urgency=low
 
-  * Add upstream patch to fix two security vulnerabilitiesa (Closes: #744008)
+  * Add upstream patch to fix two security vulnerabilities (Closes: #744008)
     + [CVE-2013-6371]: hash collision denial of service
     + [CVE-2013-6370]: buffer overflow if size_t is larger than int
 
diff --git a/debian/libjson-c-dev.install b/debian/libjson-c-dev.install
index 3d52de9..f7531b3 100644
--- a/debian/libjson-c-dev.install
+++ b/debian/libjson-c-dev.install
@@ -1,5 +1,5 @@
 usr/lib/*/libjson-c.a
-usr/lib/*/libjson-c.so
+#usr/lib/*/libjson-c.so
 usr/include/json-c/*
 usr/lib/*/pkgconfig/json-c.pc
 json_object_iterator.h /usr/include/json-c/
diff --git a/debian/libjson-c-dev.links b/debian/libjson-c-dev.links
new file mode 100755
index 0000000..c909a2f
--- /dev/null
+++ b/debian/libjson-c-dev.links
@@ -0,0 +1,3 @@
+#!/usr/bin/dh-exec
+/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 /usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2
+/usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so.2 /usr/lib/${DEB_HOST_MULTIARCH}/libjson-c.so
diff --git a/debian/rules b/debian/rules
index 34dde57..ce3233f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,10 +20,9 @@ override_dh_auto_clean:
 override_dh_auto_install:
 	dh_auto_install
 
-	# we install libjson-c into /lib, so fix the link
-	T=$$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so); \
-	rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so; \
-	ln -s /lib/$(DEB_HOST_MULTIARCH)/$$(basename $$T) debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so
+	# we install libjson-c into /lib, so fix the link in a way understood by ldconfig
+	rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson-c.so
+	# new links are created by libjson-c-dev.links
 
 	# add thin symlink compatibility layer for json.so
 	rm debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libjson.*
-- 
2.1.4

Bug#792177: libjson-c-dev: causes creation of unowned /usr/lib//libjson-c.so.2 -> libjson-c.so symlink

Reply via email to