Hi!
On Tue, 2022-05-31 at 22:10:29 +0200, Paul Gevers wrote:
> Source: dpkg
> Version: 1.20.10
> Severity: important
> Our proposed-updates queue [1] show regressions in the autopkgtest of
> lintian with the security version of dpkg. Looking at the logs [2], it
> appears to me that the file permissions of files in the test
> change. If I understand the security issue correctly, I don't think
> that was intended. Again, I may be reading the signs wrong, but I
> suspect you want to have a look.
Hmm, right. We noticed this on the new security queue autopkgtest
infra, and I checked locally and it was reproducible, but for some
reason I disregarded it as not relevant. :/
Perhaps because it was not showing up on lintian's sid test suite (but
just checked now and the test seems to have been removed from there),
and I'm assuming I didn't test against the previous dpkg version. So,
it seems I botched the testing procedure somewhere.
In any case, I think the attached patch fixes this, which during the
days I was preparing the fix this came to mind to take into account,
but I guess I forgot along the way. :/ I'll test this tomorrow against
the older lintian test suite. I guess I'll need to talk with the
security team avoid issuing a security fixup?
Thanks,
Guillem
diff --git i/scripts/Dpkg/Source/Package/V2.pm w/scripts/Dpkg/Source/Package/V2.pm
index 1167625d7..68a967168 100644
--- i/scripts/Dpkg/Source/Package/V2.pm
+++ w/scripts/Dpkg/Source/Package/V2.pm
@@ -218,7 +218,7 @@ sub do_extract {
# Extract main tarball
info(g_('unpacking %s'), $tarfile);
my $tar = Dpkg::Source::Archive->new(filename => "$dscdir$tarfile");
- $tar->extract($newdirectory, no_fixperms => 1,
+ $tar->extract($newdirectory,
options => [ '--anchored', '--no-wildcards-match-slash',
'--exclude', '*/.pc', '--exclude', '.pc' ]);
# The .pc exclusion is only needed for 3.0 (quilt) and to avoid
@@ -239,7 +239,7 @@ sub do_extract {
erasedir("$newdirectory/$subdir");
}
$tar = Dpkg::Source::Archive->new(filename => "$dscdir$file");
- $tar->extract("$newdirectory/$subdir", no_fixperms => 1);
+ $tar->extract("$newdirectory/$subdir");
}
# Stop here if debianization is not wanted
