Bug#847221: debsums: false positive missing file in open-vm-tools-desktop package - encoding issue?

Tue, 06 Dec 2016 09:15:47 -0800 

Control: reassign -1 src:open-vm-tools 2:10.1.0-4449150-1
Control: severity -1 serious
Control: retitle -1 open-vm-tools: incorrect filename in 
open-vm-tools-desktop.md5sums

On 2016-12-06 17:47, Niko Tyni wrote:
> On Tue, Dec 06, 2016 at 04:35:57PM +0100, Andreas Beckmann wrote:
>> Package: debsums
>> Version: 2.1.3
>> Severity: important
> 
>> open-vm-tools-desktop contains a file with a 'interesting' name:
>>
>>   /lib/systemd/system/run-vmblock\x2dfuse.mount
>>
>> and debsums reports that the file is missing although it exists in the
>> file system:
>>
>>   # debsums -ac
>>   debsums: missing file /lib/systemd/system/run-vmblock\\x2dfuse.mount (from 
>> open-vm-tools-desktop package)
>>
>>   # ls -la '/lib/systemd/system/run-vmblock\x2dfuse.mount' 
>>   -rw-r--r-- 1 root root 460 Nov 16 02:35 
>> /lib/systemd/system/run-vmblock\x2dfuse.mount
>>
>> Maybe the backslash has been escaped once too much?
> 
> It's doubly escaped in the md5sums database:
> 
>   # grep run-vm /var/lib/dpkg/info/open-vm-tools-desktop.md5sums 
>   dde14951417e0e9f73b80f871e6540d1  
> lib/systemd/system/run-vmblock\\x2dfuse.mount
> 
> There's background in #843163. It looks like this is due to this feature
> of GNU md5sum (from coreutils.info):
> 
>   If FILE contains a backslash or newline, the line is started with a
>   backslash, and each problematic character in the file name is escaped
>   with a backslash, making the output unambiguous even in the presence
>   of arbitrary file names.
> 
> Indeed:
> 
>   # md5sum /lib/systemd/system/run-vmblock*
>   \dde14951417e0e9f73b80f871e6540d1  
> /lib/systemd/system/run-vmblock\\x2dfuse.mount
> 
> I see src:open-vm-tools fiddles with the entry in debian/rules,
> removing the first backslash at the start of the line but not
> touching the doubled one.  This seems to be wrong. While the result
> does pass 'dpkg --verify', it only does so because the file name
> doesn't match: if I manually change the checksum to a wrong one in
> /var/lib/dpkg/info/open-vm-tools-desktop.md5sums, 'dpkg --verify' stays
> happy. If I remove the double backslash, wrong checksums start to get
> detected properly.
> 
> So it looks to me like the workaround in open-vm-tools should be fixed
> to remove the double backslash, at which point both 'dpkg --verify'
> and debsums will work?

Agreed.


Andreas

Reply via email to