Package: xapt Version: 2.2.18 Severity: critical File: /usr/sbin/embuilddeps Justification: breaks the whole system
Just experienced a situation where embuilddeps managed to replace
/bin/tar with an armel binary on an amd64 machine, due to MultiArch
being enabled on that system to support armel.
Other files also got replaced:
/bin/tempfile
/usr/bin/locale
/sbin/ldconfig
This results in a system which cannot unpack .deb files and therefore
needs a handy chroot nearby from which the actual /bin/ executables can
be copied... or a reinstall.
The problem is two fold:
The MultiArch support in embuilddeps and xapt is not enabled by default
- this was a mistake in the early development of the transitional
support between old-world dpkg-cross paths and new-world MultiArch
paths. The exact version of dpkg which would enable this support was
not clear at the time that the support in xapt was implemented.
The final stage of the xapt installation of packages converted by
dpkg-cross is not sufficiently careful and can force dpkg to install
packages which have not been converted.
I initially had this problem on my development machine which is running
current SVN but I have since reproduced this problem in a Wheezy VM
using the xapt package from Wheezy.
In that case, I stopped the process part way through but dpkg had
already replaced:
debianutils
dpkg
bsdutils
debconf
debhelper
dpkg-dev
file
libc-bin
Although the affected version has been backported to Squeeze, Squeeze
is not affected because the version of dpkg in Squeeze doesn't allow a
foreign architecture to be specified and the version of dpkg-cross in
Squeeze does not support converting MultiArch packages to dpkg-cross
paths.
The fix will be to force the existing MultiArch support to be enabled
when the architecture requested matches a supported dpkg foreign
architecture and to tighten the restrictions on the list of .deb
packages to be installed to ensure that only -cross packages are
selected.
Currently, my proposed changes for the multiarch / foreign-architecture
match detection code looks a bit like:
# use dpkg --print-foreign-architectures dpkg >= 1.16.2
my $cmd = 'dpkg-query -W -f \'${Version}\' dpkg';
$installed = `$cmd 2>/dev/null`;
my $res = system ("dpkg --compare-versions $installed '>=' 1.16.2");
$res >>= 8;
if (($res == 0) and (not defined $multiarch)) {
$res = system("dpkg --print-foreign-architectures | grep $arch >
/dev/null");
$res >>= 8;
if ($res == 0) {
$cmd = 'dpkg-query -W -f \'${Version}\' dpkg-cross';
$installed = `$cmd 2>/dev/null`;
$res = system ("dpkg --compare-versions $installed '>='
$minver");
$res >>= 8;
if ($res != 0) {
die ("Unsupported combination of old dpkg-cross and new
dpkg!\n");
}
$multiarch++;
warn ("Warning: Multi-Arch support has been enabled.\n");
}
}
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armel
i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash
Versions of packages xapt depends on:
ii apt 0.9.7.5
ii dpkg-cross 2.6.7
ii dpkg-dev 1.16.8
ii libconfig-inifiles-perl 2.75-1
ii libdpkg-perl 1.16.8
ii liblocale-gettext-perl 1.05-7+b1
ii perl 5.14.2-13
xapt recommends no packages.
xapt suggests no packages.
-- no debconf information
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
pgpNXE8om7Wt5.pgp
Description: PGP signature
