Package: devscripts
X-Debbugs-Cc: [email protected], [email protected]
Version: 2.26.9
Severity: normal
Tags: patch

Dear Maintainer,

When constructing the mmdebstrap customize hook, debrebuild does not escape
the variables from the .buildinfo file's Environment block. This can result
in
build failures if DEB_BUILD_OPTIONS contains multiple options. It could
also be
used to create a malicious buildinfo file with extra commands added, which
would run in the build environment. The Trixie version of the package is
also affected, but I haven't checked any others.

Single DEB_BUILD_OPTIONS parameter (working):
$ mkdir -p /tmp/debrebuild
$ cd /tmp/debrebuild/
$ wget
https://buildinfos.debian.net/buildinfo-pool/h/hello/hello_2.12.3-1_amd64.buildinfo
$ debrebuild hello_2.12.3-1_amd64.buildinfo --buildresult=./out
--builder=mmdebstrap
./out/ ends up with the correct build files.

Multiple parameters (no build in out/):
Edit hello_2.12.3-1_amd64.buildinfo:

@@ -176,7 +176,7 @@
  xz-utils (= 5.8.3-1),
  zlib1g (= 1:1.3.dfsg+really1.3.2-3)
 Environment:
- DEB_BUILD_OPTIONS="parallel=6"
+ DEB_BUILD_OPTIONS="parallel=6 terse"
  LANG="C.UTF-8"
  LC_COLLATE="C.UTF-8"
  LC_CTYPE="C.UTF-8

$ rm -rf out
$ debrebuild hello_2.12.3-1_amd64.buildinfo --buildresult=./out
--builder=mmdebstrap
./out/ contains a partial build

I've attached a patch that resolves the issue for me.

Kind regards,

Serge

-- Package-specific info:

--- /etc/devscripts.conf ---
Empty.

--- ~/.devscripts ---
Not present

-- System Information:
Debian Release: forky/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.90+deb13.1-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages devscripts depends on:
ii  dpkg-dev                 1.23.7
ii  file                     1:5.47-4
ii  gpg                      2.4.9-4
ii  gpg-agent                2.4.9-4
ii  gpgv                     2.4.9-4
ii  libconfig-inifiles-perl  3.000003-5
ii  libdpkg-perl             1.23.7
ii  libfile-dirlist-perl     0.05-3
ii  libfile-homedir-perl     1.006-2
ii  libfile-touch-perl       0.12-2
ii  libio-string-perl        1.08-4
ii  libmoo-perl              2.005005-1
ii  libwww-perl              6.83-1
ii  libyaml-libyaml-perl     0.907.0+ds-1
ii  patchutils               0.4.5-1
ii  perl                     5.40.1-8
ii  python3                  3.13.9-3+b1
ii  sensible-utils           0.0.26
ii  wdiff                    1.2.2-9

Versions of packages devscripts recommends:
ii  apt                         3.3.1
ii  curl                        8.20.0-5
ii  dctrl-tools                 2.24-3+b1
ii  debian-keyring              2026.05.24
ii  debian-tag2upload-keyring   1.2
ii  diffstat                    1.69-1
ii  dput                        1.2.4
ii  equivs                      2.3.3
ii  git-debpush                 15.10
ii  libdistro-info-perl         1.15
ii  libencode-locale-perl       1.05-3
ii  libgitlab-api-v4-perl       0.27-1
ii  libjson-perl                4.10000-1
ii  liblwp-protocol-https-perl  6.15-1
ii  libmetacpan-client-perl     2.043000-1
ii  libsoap-lite-perl           1.27-3
ii  libstring-shellquote-perl   1.04-3
ii  liburi-perl                 5.35-1
ii  licensecheck                3.3.9-1
ii  lintian                     2.136.2
ii  lzip                        1.26-1
ii  man-db                      2.13.1-1
ii  patch                       2.8-2
ii  pristine-tar                1.50+nmu2
ii  python3-apt                 3.1.0
ii  python3-debian              1.1.1
ii  python3-magic               2:0.4.27-5
ii  python3-requests            2.32.5+dfsg-1
ii  python3-unidiff             0.7.5-2
ii  python3-xdg                 0.28-3
ii  sbuild                      0.91.9
ii  strace                      7.0+ds-1
ii  unzip                       6.0-29
ii  wget                        1.25.0-2
ii  xz-utils                    5.8.3-1

Versions of packages devscripts suggests:
pn  adequate                            <none>
pn  at                                  <none>
pn  autopkgtest                         <none>
pn  bls-standalone                      <none>
pn  bsd-mailx | mailx                   <none>
ii  build-essential                     12.12
pn  check-all-the-things                <none>
ii  debhelper                           14.1
pn  default-mta | mail-transport-agent  <none>
pn  diffoscope                          <none>
pn  disorderfs                          <none>
pn  docker.io                           <none>
pn  dose-extra                          <none>
pn  duck                                <none>
pn  elpa-devscripts                     <none>
pn  faketime                            <none>
pn  gnuplot                             <none>
pn  how-can-i-help                      <none>
ii  libauthen-sasl-perl                 2.2000-1
pn  libdbd-pg-perl                      <none>
pn  libterm-size-perl                   <none>
ii  libtimedate-perl                    2.3500-1
ii  mmdebstrap                          1.5.7-3
pn  mutt                                <none>
ii  openssh-client [ssh-client]         1:10.3p1-4
pn  piuparts                            <none>
pn  postgresql-client                   <none>
pn  pristine-lfs                        <none>
ii  python3-debianbts                   4.1.1
pn  python3-pycurl                      <none>
pn  quilt                               <none>
pn  ratt                                <none>
pn  reprotest                           <none>
pn  svn-buildpackage                    <none>
pn  w3m                                 <none>

-- no debconf information
From fca32754b6b2f7cb7751847a86921ae4c1f0a1c8 Mon Sep 17 00:00:00 2001
From: Serge Schneider <[email protected]>
Date: Tue, 16 Jun 2026 14:12:41 +0100
Subject: [PATCH] debrebuild: shell-quote the mmdebstrap customize-hook script

The buildinfo's Environment values are interpolated verbatim into the
inner shell script, and their literal double quotes collide with the
outer sh -c "...". Wrap the whole inner script in shell_quote so the
nested quotes can't terminate the outer one early.

Without this, dpkg-buildpackage silently never runs for any buildinfo
that has a quoted Environment value (e.g. DEB_BUILD_OPTIONS with a
space).
---
 scripts/debrebuild.pl | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/scripts/debrebuild.pl b/scripts/debrebuild.pl
index 4b2a4b54..8962629e 100755
--- a/scripts/debrebuild.pl
+++ b/scripts/debrebuild.pl
@@ -715,8 +715,8 @@ if ($builder eq "none") {
               . (String::ShellQuote::shell_quote $dsc_fname)
               . " \"\$1\""
         ),
-        '--customize-hook=chroot "$1" sh -c "'
-          . (
+        '--customize-hook=chroot "$1" sh -c '
+          . String::ShellQuote::shell_quote(
             join ' && ',
             "mkdir -p "
               . (String::ShellQuote::shell_quote(dirname $custom_build_path)),
@@ -727,8 +727,7 @@ if ($builder eq "none") {
             @binnmucmds,
 "env $environment dpkg-buildpackage -uc -a $host_arch --build=$build",
             'cd /',
-            'rm -r ' . (String::ShellQuote::shell_quote $custom_build_path))
-          . '"',
+            'rm -r ' . (String::ShellQuote::shell_quote $custom_build_path)),
         '--customize-hook=sync-out '
           . (dirname $custom_build_path)
           . " $outdir",
-- 
2.43.0

Reply via email to