Your message dated Mon, 03 Jul 2017 06:04:02 +0000 with message-id <[email protected]> and subject line Bug#608648: fixed in debconf 1.5.62 has caused the Debian Bug report #608648, regarding dpkg-reconfigure should chdir("/") before running maintainer scripts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 608648: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608648 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dput Version: 0.9.2.35 Severity: normal There's a (admittedly very small) chance that the Python script in postinst can be intercepted by an unprivileged user on a multiuser system, if the postinst script happens to be executed from a directory where that user has write access. This is because when a script is specified with the -c argument of the Python interpreter is run, it will first search for modules in the working directory. For example, suppose I create the file compileall.py with the following contents in the current working directory: def main(): print "Hello" Then, invoking "sudo dpkg-reconfigure dput" from the same directory will give the output "Hello". Though perhaps this could be considered an user error, since dpkg is invoked from an "untrusted" directory. Anyhow, the following patch simply suggests to change to a directory that is known to be safe before invoking the script. --- a/debian/postinst 2008-09-22 18:01:17.000000000 +0000 +++ b/debian/postinst 2008-10-21 22:05:00.000000000 +0000 @@ -4,6 +4,7 @@ case "$1" in configure|abort-upgrade|abort-remove|abort-deconfigure) + cd $DIR python -c 'import sys, compileall ; exit_status = int(not compileall.main()); sys.exit(exit_status)' -q $DIR ;; *) -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages dput depends on: ii gnupg 1.4.9-3 GNU privacy guard - a free PGP rep ii python 2.5.2-2 An interactive high-level object-o dput recommends no packages. Versions of packages dput suggests: ii lintian 2.0.0 Debian package checker ii mini-dinstall 0.6.25 daemon for updating Debian package ii openssh-client 1:5.1p1-3 secure shell client, an rlogin/rsh ii rsync 3.0.4-3 fast remote file copy program (lik pn yaclc <none> (no description available) -- no debconf information
--- End Message ---
--- Begin Message ---Source: debconf Source-Version: 1.5.62 We believe that the bug you reported is fixed in the latest version of debconf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Colin Watson <[email protected]> (supplier of updated debconf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 03 Jul 2017 06:38:14 +0100 Source: debconf Binary: debconf debconf-i18n debconf-doc debconf-utils Architecture: source Version: 1.5.62 Distribution: unstable Urgency: medium Maintainer: Debconf Developers <[email protected]> Changed-By: Colin Watson <[email protected]> Description: debconf - Debian configuration management system debconf-doc - debconf documentation debconf-i18n - full internationalization support for debconf debconf-utils - debconf utilities Closes: 608648 701818 Changes: debconf (1.5.62) unstable; urgency=medium . * Upgrade to debhelper v9 and dh-exec. * Make debconf provide python-debconf and python3-debconf, in preparation for splitting those out to separate binary packages (see #709198). * dpkg-preconfigure: Don't write "Extracting templates from packages:" progress output if stderr is not a terminal (closes: #701818). * Change directory to / before executing maintainer scripts (closes: #608648). * Install to $Config{vendorlib} rather than hardcoding /usr/share/perl5. * Upgrade to copyright-format 1.0. * Policy version 4.0.0. Checksums-Sha1: 0c1ec5b9857c0435d255911cc0f92fa370b16c66 1937 debconf_1.5.62.dsc 87001ef01cc8451afb96a9aea2929c0be853c7fb 570636 debconf_1.5.62.tar.xz 3a910ebb382adc85be9da78c947aa413d4a17b2f 6270 debconf_1.5.62_source.buildinfo Checksums-Sha256: 86b7ac017d61cd102282cf45d9b59db8f2e6331dbd5e086b9b82ce3d2b7f23b0 1937 debconf_1.5.62.dsc bf47a4b03d3c95df2645d2139c27d4f7c6f10772ac8171f99c795e626ba4826c 570636 debconf_1.5.62.tar.xz c951b8c7053bcbda7ba1a71eef2da34b28070fb04d9d45f08f01e66582564b47 6270 debconf_1.5.62_source.buildinfo Files: 34cdb662832a32bc732e4239c3c422b4 1937 admin optional debconf_1.5.62.dsc 50c16994b8fda902b387038872190dcd 570636 admin optional debconf_1.5.62.tar.xz d0f86ee43eb349aa939405ec5f8b59fa 6270 admin optional debconf_1.5.62_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAllZ2FUACgkQOTWH2X2G UAv0fA//YwYyVSRMEScP68WMgntx0C3BjdsJVWsHHz49Ig4boD3VGIHu84mMqlXC mNSYADL77RqHyENrLjeG/wv1rfjcQL5W8ghUa+j422YWQcPxTOfmEXl8H1pagEq+ 0acTrBbSJeSxAzX34V3dg702rU+RcbkTnTxXR6B2/6pnyKJq2twaEcxJgnsYxy1j yUGNzjprsy9tZFUF4KbDNKiZYi09pFJNzejxhLnthqF0qp81OMMY5Ty9H/Kp4pF0 Clt04j9Fv4QQ1Q8FdGmKjNyK77jID1UkmXHNik7kr/0NuyyYlHtbj2MVT25aTyu8 yT/w2dcYd2G9zBqFGWKm1hgnM+Zytmay5wK/H2NXfSJRO+P85SubG9xorxjyNsYB Sgf2ji05KOKym2tYRDELBe8Z2qHZUOD+ftQDAaJWNfupWlb3EN7mM7G1fFRzIFg9 X/zk2GkZbsr6zBBaKMBkiyZM7dzDNlbfE57XTbST67dQSn86ppV6wJ2UE1VaeHwY zr5ZzvKfj2fZ4FdYLZ1U6f+djw7eIjhwIoTrUFUh5fnjh7OZAkRA0UZY5EZbMOYQ Dm3+MWwuym+eNB6aM9LjPcHK/fdXD3BTCE6LaQ8nN8Bzkl9F6qLpGWDU8mYd3s// A5nS3e2ZZRnSSDBO7GVkOE6rZ9I0YsKaB6/D2gNEGklsx1DpfbI= =J3k3 -----END PGP SIGNATURE-----
--- End Message ---
