Re: Bug#1024261: debhelper: dbgsym packages contain directoryr writable by build user
Hi
On 2023-03-17 14:42:00 +0100, Helmut Grohne wrote:
> Hi,
>
> On Mon, Nov 21, 2022 at 06:08:22PM +0100, Niels Thykier wrote:
> > Axel Beckert:
> > > Could this be https://bugs.debian.org/1023286 in fakeroot as well as
> > > Niels pointed out in
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024520#37 ?
> >
> > It is.
>
> So the underlying fakeroot bug has been fixed since. I don't think this
> actually is a debhelper bug anymore and suggest to just close it once
> the pratical effects have been mitigated.
>
> > Helmut and I discussed this on IRC and Helmut's findings is based on that
> > IRC discussion between him and I in relation to #1023286. (Which people not
> > IRC had no chance of knowing, so putting the context here for good measure)
>
> Given that the fakeroot bug has been fixed, I have rerun the dbgsym
> importer (now that no new problems can be added). Quite a number of
> packages have fixed themselves since the last run. Very few were added.
> I'm attaching a list of affected packages in format
> "binarypackage_version_architecture". Can I ask the release team to just
> binNMU all of them?
>
> What is a bit unclear to me is whether this is sufficient. We know
> -dbgsym packages to be affected (and which), but how about regular
> packages? Can they be affected as well?
If they are, we could check that buildinfo files in the archive and
rebuild every package that was built with a buggy version of fakeroot.
Cheers
>
> If yes, we could download all .debs and record owner/group/mode for each
> file after normalizing s,/${DEB_HOST_MULTIARCH}/,/, and highlight all
> packages where these aspects vary accross architectures (with the
> intuition that 64bit achitectures should generally be right). Does this
> make sense? Does this likely encounter issues? Is this approach
> exhaustive?
>
> In any case, binNMUing the packages from the attached list is something
> actionable right now. It's just 500 packages on four architectures left.
>
> Helmut
> ypserv-dbgsym_4.2-1+b1_mipsel
> xserver-xorg-input-synaptics-dbgsym_1.9.2-1_mipsel
> wings3d-dbgsym_2.2.9-2_mipsel
> w1retap-dbgsym_1.4.6-1.1+b1_mipsel
> vlock-dbgsym_2.2.2-11_mipsel
> vmfs6-tools-dbgsym_0.2.1-1_mipsel
> libv4lconvert0-dbgsym_1.22.1-5+b1_mipsel
> libv4l-0-dbgsym_1.22.1-5+b1_mipsel
> dvb-tools-dbgsym_1.22.1-5+b1_mipsel
> v4l-utils-dbgsym_1.22.1-5+b1_mipsel
> unar-dbgsym_1.10.7+ds1+really1.10.1-2+b1_mipsel
> triggerhappy-dbgsym_0.5.0-1.1+b1_mipsel
> torcs-dbgsym_1.3.7+dfsg-5+b1_mipsel
> sysrepo-dbgsym_2.0.53-6+b2_mipsel
> libsuperlu-dist8-dbgsym_8.1.2+dfsg1-1_mipsel
> libsuperlu-dist-dev-dbgsym_8.1.2+dfsg1-1_mipsel
> sslh-dbgsym_1.20-1+b1_mipsel
> squid-dbgsym_5.7-1+b1_mipsel
> squid-openssl-dbgsym_5.7-1+b1_mipsel
> spice-vdagent-dbgsym_0.22.1-3+b1_mipsel
> source-highlight-dbgsym_3.1.9-4.2+b2_mipsel
> sndio-tools-dbgsym_1.9.0-0.3+b1_mipsel
> shotwell-dbgsym_0.30.17-1_mipsel
> shapelib-dbgsym_1.5.0-3_mipsel
> uidmap-dbgsym_1:4.13+dfsg1-1_mipsel
> login-dbgsym_1:4.13+dfsg1-1_mipsel
> passwd-dbgsym_1:4.13+dfsg1-1_mipsel
> scitokens-cpp-dbgsym_0.7.3-1_mipsel
> schroot-dbgsym_1.6.13-3+b1_mipsel
> scalapack-mpi-test-dbgsym_2.2.1-2_mipsel
> rxvt-unicode-dbgsym_9.30-2+b2_mipsel
> libruli-bin-dbgsym_0.36-3_mipsel
> roger-router-dbgsym_2.4.2-3+b1_mipsel
> r-cran-zip-dbgsym_2.2.2-1_mipsel
> qflow-dbgsym_1.3.17+dfsg.1-3_mipsel
> libpmix-bin-dbgsym_4.2.2-1_mipsel
> libpmix2-dbgsym_4.2.2-1_mipsel
> pmacct-dbgsym_1.7.7-1_mipsel
> ploop-dbgsym_1.15-12_mipsel
> libplib1-dbgsym_1.8.5-14_mipsel
> postgresql-15-ogr-fdw-dbgsym_1.1.3-1+b1_mipsel
> perl-tk-dbgsym_1:804.036-1+b1_mipsel
> pdl-dbgsym_1:2.081-1_mipsel
> dolphin-owncloud-dbgsym_2.11.0.8354+dfsg-1_mipsel
> libowncloudsync0-dbgsym_2.11.0.8354+dfsg-1_mipsel
> osmo-hlr-dbgsym_1.5.0+dfsg1-3_mipsel
> osmo-ggsn-dbgsym_1.9.0-3_mipsel
> osmo-bsc-bs11-utils-dbgsym_1.9.0-3_mipsel
> osmo-bts-dbgsym_1.5.0+dfsg1-2_mipsel
> osmo-bsc-meas-utils-dbgsym_1.9.0-3_mipsel
> osmo-bsc-ipaccess-utils-dbgsym_1.9.0-3_mipsel
> osdsh-dbgsym_0.7.0-11_mipsel
> orthanc-postgresql-dbgsym_4.0-7+b1_mipsel
> opensmtpd-dbgsym_6.8.0p2-4+b3_mipsel
> openmpi-bin-dbgsym_4.1.4-3_mipsel
> topp-dbgsym_2.6.0+cleaned1-3+b3_mipsel
> libopenms2.6.0-dbgsym_2.6.0+cleaned1-3+b3_mipsel
> libopenmesh1-dbgsym_9.0-4_mipsel
> libopenmpi3-dbgsym_4.1.4-3_mipsel
> libopenmesh-apps-dbgsym_9.0-4_mipsel
> libcoarrays-openmpi-dev-dbgsym_2.10.1-1_mipsel
> libcoarrays-mpich-dev-dbgsym_2.10.1-1_mipsel
> odr-dabmux-dbgsym_4.2.1-1_mipsel
> oddjob-mkhomedir-dbgsym_0.34.7-1+b1_mipsel
> oddjob-dbgsym_0.34.7-1+b1_mipsel
> ntfs-3g-dev-dbgsym_1:2022.10.3-1_mipsel
> ntfs-3g-dbgsym_1:2022.10.3-1_mipsel
> nethack-common-dbgsym_3.6.6-3+b1_mipsel
> ndisc6-dbgsym_1.0.5-1+b1_mipsel
> myproxy-admin-dbgsym_6.2.14-2+b1_mipsel
> myproxy-dbgsym_6.2.14-2+b1_mipsel
> mutt-dbgsym_2.2.9-1_mipsel
> miredo-dbgsym_1.2.6-7.1+b1_mipsel
> lua-socket-dbgsym_3.1.0-1_mipsel
> lua-readline-dbgsym_3.2-1_mipsel
> lldpd-dbgsym_1.0.16-1_mipsel
> linuxptp-dbgsym_3.1.1-4+b1_mipsel
>
Re: Bug#1024261: debhelper: dbgsym packages contain directoryr writable by build user
Hi,
On Mon, Nov 21, 2022 at 06:08:22PM +0100, Niels Thykier wrote:
> Axel Beckert:
> > Could this be https://bugs.debian.org/1023286 in fakeroot as well as
> > Niels pointed out in
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024520#37 ?
>
> It is.
So the underlying fakeroot bug has been fixed since. I don't think this
actually is a debhelper bug anymore and suggest to just close it once
the pratical effects have been mitigated.
> Helmut and I discussed this on IRC and Helmut's findings is based on that
> IRC discussion between him and I in relation to #1023286. (Which people not
> IRC had no chance of knowing, so putting the context here for good measure)
Given that the fakeroot bug has been fixed, I have rerun the dbgsym
importer (now that no new problems can be added). Quite a number of
packages have fixed themselves since the last run. Very few were added.
I'm attaching a list of affected packages in format
"binarypackage_version_architecture". Can I ask the release team to just
binNMU all of them?
What is a bit unclear to me is whether this is sufficient. We know
-dbgsym packages to be affected (and which), but how about regular
packages? Can they be affected as well?
If yes, we could download all .debs and record owner/group/mode for each
file after normalizing s,/${DEB_HOST_MULTIARCH}/,/, and highlight all
packages where these aspects vary accross architectures (with the
intuition that 64bit achitectures should generally be right). Does this
make sense? Does this likely encounter issues? Is this approach
exhaustive?
In any case, binNMUing the packages from the attached list is something
actionable right now. It's just 500 packages on four architectures left.
Helmut
ypserv-dbgsym_4.2-1+b1_mipsel
xserver-xorg-input-synaptics-dbgsym_1.9.2-1_mipsel
wings3d-dbgsym_2.2.9-2_mipsel
w1retap-dbgsym_1.4.6-1.1+b1_mipsel
vlock-dbgsym_2.2.2-11_mipsel
vmfs6-tools-dbgsym_0.2.1-1_mipsel
libv4lconvert0-dbgsym_1.22.1-5+b1_mipsel
libv4l-0-dbgsym_1.22.1-5+b1_mipsel
dvb-tools-dbgsym_1.22.1-5+b1_mipsel
v4l-utils-dbgsym_1.22.1-5+b1_mipsel
unar-dbgsym_1.10.7+ds1+really1.10.1-2+b1_mipsel
triggerhappy-dbgsym_0.5.0-1.1+b1_mipsel
torcs-dbgsym_1.3.7+dfsg-5+b1_mipsel
sysrepo-dbgsym_2.0.53-6+b2_mipsel
libsuperlu-dist8-dbgsym_8.1.2+dfsg1-1_mipsel
libsuperlu-dist-dev-dbgsym_8.1.2+dfsg1-1_mipsel
sslh-dbgsym_1.20-1+b1_mipsel
squid-dbgsym_5.7-1+b1_mipsel
squid-openssl-dbgsym_5.7-1+b1_mipsel
spice-vdagent-dbgsym_0.22.1-3+b1_mipsel
source-highlight-dbgsym_3.1.9-4.2+b2_mipsel
sndio-tools-dbgsym_1.9.0-0.3+b1_mipsel
shotwell-dbgsym_0.30.17-1_mipsel
shapelib-dbgsym_1.5.0-3_mipsel
uidmap-dbgsym_1:4.13+dfsg1-1_mipsel
login-dbgsym_1:4.13+dfsg1-1_mipsel
passwd-dbgsym_1:4.13+dfsg1-1_mipsel
scitokens-cpp-dbgsym_0.7.3-1_mipsel
schroot-dbgsym_1.6.13-3+b1_mipsel
scalapack-mpi-test-dbgsym_2.2.1-2_mipsel
rxvt-unicode-dbgsym_9.30-2+b2_mipsel
libruli-bin-dbgsym_0.36-3_mipsel
roger-router-dbgsym_2.4.2-3+b1_mipsel
r-cran-zip-dbgsym_2.2.2-1_mipsel
qflow-dbgsym_1.3.17+dfsg.1-3_mipsel
libpmix-bin-dbgsym_4.2.2-1_mipsel
libpmix2-dbgsym_4.2.2-1_mipsel
pmacct-dbgsym_1.7.7-1_mipsel
ploop-dbgsym_1.15-12_mipsel
libplib1-dbgsym_1.8.5-14_mipsel
postgresql-15-ogr-fdw-dbgsym_1.1.3-1+b1_mipsel
perl-tk-dbgsym_1:804.036-1+b1_mipsel
pdl-dbgsym_1:2.081-1_mipsel
dolphin-owncloud-dbgsym_2.11.0.8354+dfsg-1_mipsel
libowncloudsync0-dbgsym_2.11.0.8354+dfsg-1_mipsel
osmo-hlr-dbgsym_1.5.0+dfsg1-3_mipsel
osmo-ggsn-dbgsym_1.9.0-3_mipsel
osmo-bsc-bs11-utils-dbgsym_1.9.0-3_mipsel
osmo-bts-dbgsym_1.5.0+dfsg1-2_mipsel
osmo-bsc-meas-utils-dbgsym_1.9.0-3_mipsel
osmo-bsc-ipaccess-utils-dbgsym_1.9.0-3_mipsel
osdsh-dbgsym_0.7.0-11_mipsel
orthanc-postgresql-dbgsym_4.0-7+b1_mipsel
opensmtpd-dbgsym_6.8.0p2-4+b3_mipsel
openmpi-bin-dbgsym_4.1.4-3_mipsel
topp-dbgsym_2.6.0+cleaned1-3+b3_mipsel
libopenms2.6.0-dbgsym_2.6.0+cleaned1-3+b3_mipsel
libopenmesh1-dbgsym_9.0-4_mipsel
libopenmpi3-dbgsym_4.1.4-3_mipsel
libopenmesh-apps-dbgsym_9.0-4_mipsel
libcoarrays-openmpi-dev-dbgsym_2.10.1-1_mipsel
libcoarrays-mpich-dev-dbgsym_2.10.1-1_mipsel
odr-dabmux-dbgsym_4.2.1-1_mipsel
oddjob-mkhomedir-dbgsym_0.34.7-1+b1_mipsel
oddjob-dbgsym_0.34.7-1+b1_mipsel
ntfs-3g-dev-dbgsym_1:2022.10.3-1_mipsel
ntfs-3g-dbgsym_1:2022.10.3-1_mipsel
nethack-common-dbgsym_3.6.6-3+b1_mipsel
ndisc6-dbgsym_1.0.5-1+b1_mipsel
myproxy-admin-dbgsym_6.2.14-2+b1_mipsel
myproxy-dbgsym_6.2.14-2+b1_mipsel
mutt-dbgsym_2.2.9-1_mipsel
miredo-dbgsym_1.2.6-7.1+b1_mipsel
lua-socket-dbgsym_3.1.0-1_mipsel
lua-readline-dbgsym_3.2-1_mipsel
lldpd-dbgsym_1.0.16-1_mipsel
linuxptp-dbgsym_3.1.1-4+b1_mipsel
libxtrxll0-dbgsym_0.0.1+git20201202.1b6eddf-1_mipsel
libtheora0-dbgsym_1.1.1+dfsg.1-16.1_mipsel
libtheora-bin-dbgsym_1.1.1+dfsg.1-16.1_mipsel
libiec61883-dev-dbgsym_1.2.0-6_mipsel
fido2-tools-dbgsym_1.12.0-2_mipsel
libdrm-tests-dbgsym_2.4.114-1_mipsel
libleatherman1.12.1-dbgsym_1.12.1+dfsg-1.2+b4_mipsel
lcdproc-extra-drivers-dbgsym_0.5.9-6+b1_mipsel
lcdproc-dbgsym_0.5.9-6+b1_mipsel
kyotocabinet-utils-dbgsym_1.2.79-2_mipsel
Re: Bug#1024261: debhelper: dbgsym packages contain directoryr writable by build user
Axel Beckert: Hi, Helmut Grohne wrote: 308 armel 313 armhf 316 i386 613 mipsel I think it is fairly safe to say that the problem affects 32bit architectures. Could this be https://bugs.debian.org/1023286 in fakeroot as well as Niels pointed out in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024520#37 ? Regards, Axel It is. Helmut and I discussed this on IRC and Helmut's findings is based on that IRC discussion between him and I in relation to #1023286. (Which people not IRC had no chance of knowing, so putting the context here for good measure) Thanks, ~Niels
Re: Bug#1024261: debhelper: dbgsym packages contain directoryr writable by build user
Hi, Helmut Grohne wrote: > 308 armel > 313 armhf > 316 i386 > 613 mipsel > > I think it is fairly safe to say that the problem affects 32bit > architectures. Could this be https://bugs.debian.org/1023286 in fakeroot as well as Niels pointed out in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024520#37 ? Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Re: Bug#1024261: debhelper: dbgsym packages contain directoryr writable by build user
Hi Niels,
On Wed, Nov 16, 2022 at 05:06:42PM +0100, Chris Hofstaedtler wrote:
> util-linux dbgsym packages install /usr/lib/debug/.dwz/i386-linux-gnu/
> (and other multiarch triplets) writable by an essential random uid
> (= uid of the user running the build on the build system).
I've hacked up a custom dissector (attached) for the debian-dedup[1]
engine to check binary packages. It ends up downloading the entire
debian-debug archive, which is about 750GB. You need a fast network to
run it. In essence, it looks at every file in the data.tar of every
binary package and checks whether user and group are root (both numeric
and name). Any difference is flagged. That yields a number of binary
packages:
308 armel
313 armhf
316 i386
613 mipsel
I think it is fairly safe to say that the problem affects 32bit
architectures.
Full results attached. I leave the mapping of binary packages to source
packages to you. You can rerun it at any time.
Hope this helps
Helmut
[1] https://dedup.debian.net/
https://git.subdivi.de/?p=~helmut/debian-dedup.git;a=summary
#!/usr/bin/python3
from contextlib import closing
import logging
import multiprocessing
import queue
from urllib.request import urlopen
from debian import deb822
from dedup.debpkg import DebExtractor
from dedup.utils import open_compressed_mirror_url
class ProcessingFinished(Exception):
pass
class DdebOwnerExtractor(DebExtractor):
def __init__(self):
DebExtractor.__init__(self)
self.files = set()
def handle_data_tar(self, tarfileobj):
for elem in tarfileobj:
if elem.uid == 0 and elem.gid == 0 and elem.uname == "root" and elem.gname == "root":
continue
self.files.add(elem.name)
raise ProcessingFinished
def process_one_package(item):
pkg, url = item
try:
extractor = DdebOwnerExtractor()
with closing(urlopen(url)) as pkgfile:
try:
extractor.process(pkgfile)
except ProcessingFinished:
pass
return (pkg, extractor.files)
except:
logging.exception("while processing %s", pkg)
return (pkg, set())
def consume_items(dct):
while True:
try:
yield dct.popitem()
except KeyError:
break
def bounded_imap_unordered(bound, pool, function, iterable):
iterable = iter(iterable)
results = queue.Queue()
outstanding = 0
while iterable or outstanding:
if iterable:
for elem in iterable:
pool.apply_async(function, (elem,), callback=results.put)
outstanding += 1
if outstanding >= bound or not results.empty():
break
else:
iterable = None
if outstanding:
yield results.get()
outstanding -= 1
def main():
logging.basicConfig(level=logging.DEBUG)
pkgs = dict()
mirror = "http://deb.debian.org/debian-debug;
for arch in ("amd64", "arm64", "armel", "armhf", "i386", "mips64el", "mipsel", "ppc64el", "s390x"):
url = "%s/dists/unstable-debug/main/binary-%s/Packages" % (mirror, arch)
with closing(open_compressed_mirror_url(url)) as pkglist:
for pkg in deb822.Packages.iter_paragraphs(pkglist):
pkgs["%s_%s_%s" % (pkg["package"], pkg["version"], pkg["architecture"])] = pkg["filename"]
with multiprocessing.Pool() as pool:
iterator = bounded_imap_unordered(32, pool, process_one_package,
((pkg, "%s/%s" % (mirror, filename))
for pkg, filename in consume_items(pkgs)))
for pkg, files in iterator:
if files:
print(pkg)
if __name__ == "__main__":
main()
ypserv-dbgsym_4.2-1+b1_mipsel
erlang-yaws-dbgsym_2.1.1+dfsg-1.1_mipsel
python3-yarl-dbgsym_1.8.1-1+b1_mipsel
python3-yara-dbgsym_4.2.0-1+b2_mipsel
xserver-xorg-input-synaptics-dbgsym_1.9.2-1_mipsel
xrootd-server-dbgsym_5.5.1-2_mipsel
xrootd-plugins-dbgsym_5.5.1-2_mipsel
xrootd-client-plugins-dbgsym_5.5.1-2_mipsel
xrootd-server-plugins-dbgsym_5.5.1-2_mipsel
xrootd-ceph-plugins-dbgsym_5.5.1-2_mipsel
xrootd-client-dbgsym_5.5.1-2_mipsel
libxrdposix3-dbgsym_5.5.1-2_mipsel
xserver-xorg-core-dbgsym_2:21.1.4-3_mipsel
libxerces-c-samples-dbgsym_3.2.3+debian-3+b2_mipsel
xalan-dbgsym_1.12-6+b2_mipsel
libxalan-c112-dbgsym_1.12-6+b2_mipsel
python3-wxgtk-webview4.0-dbgsym_4.2.0+dfsg-1+b1_mipsel
python3-wxgtk-media4.0-dbgsym_4.2.0+dfsg-1+b1_mipsel
python3-wxgtk4.0-dbgsym_4.2.0+dfsg-1+b1_mipsel
wings3d-dbgsym_2.2.9-2_mipsel
w1retap-dbgsym_1.4.6-1.1+b1_mipsel
vulkan-tools-dbgsym_1.3.231.1+dfsg1-1_mipsel
wabt-dbgsym_1.0.30-1_mipsel
vulkan-validationlayers-dbgsym_1.3.231.1-1_mipsel
vmfs6-tools-dbgsym_0.2.1-1_mipsel
vlock-dbgsym_2.2.2-11_mipsel
virgl-server-dbgsym_0.10.3-2_mipsel
vdr-plugin-examples-dbgsym_2.6.0-1+b1_mipsel
vdr-dbgsym_2.6.0-1+b1_mipsel
