Package: debsums Version: 2.0.52 Severity: important Hi,
while analyzing two dubious piuparts errors involving debsums, I noticed that debsums reports incorrectly some missing files. It works fine if I install debsums in the chroot and run it from there - but it fails if I run it from the outside with the --root option. One package in question is drupal6-trans-ru which ships the file /usr/share/drupal6/profiles/default/translations/ru.po, but the drupal package (which was installed first) contains a /usr/share/drupal6/profiles -> /etc/drupal/6/profiles symlink, so the file actually ended up as /etc/drupal/6/profiles/default/translations/ru.po (This is a bad thing, but that's not the point in this bug report.) debsums report nothing inside the chroot: (pbuild7199)root@host:/# debsums -ac but running debsums from the outside of the chroot: $ sudo debsums -ac --root /tmp/pbuilder/build/7199/ debsums: missing file /tmp/pbuilder/build/7199//usr/share/drupal6/profiles/default/translations/ru.po (from drupal6-trans-ru package) and if I create /etc/drupal/6/profiles/default/translations/ru.po on the host system with some random content, I get a md5sum mismatch: $ sudo debsums -ac --root /tmp/pbuilder/build/7199/ /tmp/pbuilder/build/7199//usr/share/drupal6/profiles/default/translations/ru.po I don't know if one can manage to replace binaries in the chroot and then create a symlink hierarchy so that debsums run from the outside (probably with a secure, untamperable copy of the admindir given to the --admindir option) would not notice this modification as it would check a safe file from the host instead ... If this is possible, severity should be raised as this is a possible security issue. I didn't try it, but you can probably escape via a long chain of ../../../../.. ..., too. Andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
