This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ca008d53b0ac1acb9c0a376346fbba544edfa34c commit ca008d53b0ac1acb9c0a376346fbba544edfa34c Author: Guillem Jover <[email protected]> AuthorDate: Mon Jun 22 18:57:07 2020 +0200 Detect merged-usr-via-symlinks also with absolute pathnames We should detect both the current relative symlinks (usr/*), and also the absolute pathnames (/usr/*), as there's been installations with both forms. Reported-by: Adam Borowski <[email protected]> --- debian/bug-script | 3 ++- debian/changelog | 4 ++++ scripts/Dpkg/Vendor/Debian.pm | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/debian/bug-script b/debian/bug-script index 56d654818..ae3b40296 100644 --- a/debian/bug-script +++ b/debian/bug-script @@ -3,7 +3,8 @@ set -e for d in /bin /sbin /lib /lib32 /libo32 /libx32 /lib64; do - if [ "$(readlink $d)" = "usr$d" ]; then + linkname="$(readlink $d)" + if [ "$linkname" = "usr$d" ] || [ "$linkname" = "/usr$d" ]; then echo "System tainted due to merged-usr-via-symlinks." >&3 break fi diff --git a/debian/changelog b/debian/changelog index aa64fb5cf..c8861aa72 100644 --- a/debian/changelog +++ b/debian/changelog @@ -44,6 +44,8 @@ dpkg (1.20.1) UNRELEASED; urgency=medium - Dpkg::Source::Package::V1: Check version format matching source format. - Dpkg::Vendor::Debian: Add debian-nonupload.gpg keyring. Thanks to Taowa Munene-Tardif <[email protected]>. Closes: #956055 + - Dpkg::Vendor::Debian: Detect merged-usr-via-symlinks also with absolute + pathnames. Reported by Adam Borowski <[email protected]>. * Documentation: - man: Fix misused two-fonts macros. Thanks to Bjarni Ingi Gislason <[email protected]>. Closes: #955028 @@ -123,6 +125,8 @@ dpkg (1.20.1) UNRELEASED; urgency=medium README.feature-removal-schedule only in dpkg.deb. - Rename debian/usertags to debian/README.bug-usertags. - Install specifications to /usr/share/doc/dpkg/ in the dpkg-dev package. + - Detect merged-usr-via-symlinks also with absolute pathnames in + bug-script. Reported by Adam Borowski <[email protected]>. * Test suite: - Rename deb-content test cases to make them more descriptive. - Skip autogenerated files from codespell. diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm index eb06149af..23237a906 100644 --- a/scripts/Dpkg/Vendor/Debian.pm +++ b/scripts/Dpkg/Vendor/Debian.pm @@ -465,7 +465,7 @@ sub _build_tainted_by { next unless -l $pathname; my $linkname = readlink $pathname; - if ($linkname eq "usr$pathname") { + if ($linkname eq "usr$pathname" or $linkname eq "/usr$pathname") { $tainted{'merged-usr-via-symlinks'} = 1; last; } -- Dpkg.Org's dpkg
