Processed: Re: Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
Processing commands for cont...@bugs.debian.org: > tags 841525 + upstream fixed-upstream Bug #841525 [vlc-plugin-skins2] vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package Added tag(s) fixed-upstream and upstream. > thanks Stopping processing here. Please contact me if you need assistance. -- 841525: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841525 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
On 2016-10-21 14:13:31, Jonas Smedegaard wrote: > Quoting Sebastian Ramacher (2016-10-21 13:25:45) > > On 2016-10-21 13:16:10, Jonas Smedegaard wrote: > > > Quoting Jakub Wilk (2016-10-21 12:52:57) > > > > Package: vlc-plugin-skins2 > > > > Version: 2.2.4-7 > > > > Severity: important > > > > User: multiarch-de...@lists.alioth.debian.org > > > > Usertags: multiarch > > > > > > > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following > > > > file is > > > > architecture-dependent: > > > > > > > > /usr/share/vlc/skins2/default.vlt > > > > > > > > An example diff between i386 and amd64 (generated by diffoscope) is > > > > attached. > > > > > > The diff seems to reveal the package was not built in a pristine chroot! > > > > No, it doesn't. It just reveals that it was a upload including > > binaries since it had to go through NEW. > > > > The offending code is in share/Makefile.am which creates default.vlt. > > Right. Bug is not that content varies (it was created in a shared > makefile, and diff attached to original bugreport also shows identical > _content_). Bug is also not that it was built in a non-pristine > environment - but it is a _hint_ about the underlying bug that the user > "sebastian" is the owner and group for the files in the diff. No, it is not. default.vlt is a tar archive owned by root as it is supposed to be. However, the content of default.vlt is not generated in a correct way. It leaks the user and time information of the build. > It is a real¹ bug that a non-bunNMU package inherits access rights from > the user account where it is built! It doesn't. It does not inherit the access rights. > It seems that every time you build the package as a non-binNMU it has a > security hole in that a user named "sebastian" in any target system gets > write access to some files intended to be writable only by root! No. That's not the case. The bug is about content of default.vlt and nothing else. No user get's additional write access. > Likely the fix is to change debian/rules and/or patch upstream install > routines to use "install" with appropriate arguments, instead of "cp". It has nothing to do with install or cp. It's a matter of passing the right options to tar to sanitize default.vlt. Cheers -- Sebastian Ramacher ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
Quoting Sebastian Ramacher (2016-10-21 13:25:45) > On 2016-10-21 13:16:10, Jonas Smedegaard wrote: > > Quoting Jakub Wilk (2016-10-21 12:52:57) > > > Package: vlc-plugin-skins2 > > > Version: 2.2.4-7 > > > Severity: important > > > User: multiarch-de...@lists.alioth.debian.org > > > Usertags: multiarch > > > > > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file > > > is > > > architecture-dependent: > > > > > > /usr/share/vlc/skins2/default.vlt > > > > > > An example diff between i386 and amd64 (generated by diffoscope) is > > > attached. > > > > The diff seems to reveal the package was not built in a pristine chroot! > > No, it doesn't. It just reveals that it was a upload including > binaries since it had to go through NEW. > > The offending code is in share/Makefile.am which creates default.vlt. Right. Bug is not that content varies (it was created in a shared makefile, and diff attached to original bugreport also shows identical _content_). Bug is also not that it was built in a non-pristine environment - but it is a _hint_ about the underlying bug that the user "sebastian" is the owner and group for the files in the diff. It is a real¹ bug that a non-bunNMU package inherits access rights from the user account where it is built! It seems that every time you build the package as a non-binNMU it has a security hole in that a user named "sebastian" in any target system gets write access to some files intended to be writable only by root! Likely the fix is to change debian/rules and/or patch upstream install routines to use "install" with appropriate arguments, instead of "cp". - Jonas ¹ I suspect that your including the word "just" means that you do not consider this a serious bug. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
On 2016-10-21 13:16:10, Jonas Smedegaard wrote: > Quoting Jakub Wilk (2016-10-21 12:52:57) > > Package: vlc-plugin-skins2 > > Version: 2.2.4-7 > > Severity: important > > User: multiarch-de...@lists.alioth.debian.org > > Usertags: multiarch > > > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file > > is > > architecture-dependent: > > > > /usr/share/vlc/skins2/default.vlt > > > > An example diff between i386 and amd64 (generated by diffoscope) is > > attached. > > The diff seems to reveal the package was not built in a pristine chroot! No, it doesn't. It just reveals that it was a upload including binaries since it had to go through NEW. The offending code is in share/Makefile.am which creates default.vlt. Cheers -- Sebastian Ramacher ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
Quoting Jakub Wilk (2016-10-21 12:52:57) > Package: vlc-plugin-skins2 > Version: 2.2.4-7 > Severity: important > User: multiarch-de...@lists.alioth.debian.org > Usertags: multiarch > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file is > architecture-dependent: > > /usr/share/vlc/skins2/default.vlt > > An example diff between i386 and amd64 (generated by diffoscope) is attached. The diff seems to reveal the package was not built in a pristine chroot! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
Package: vlc-plugin-skins2 Version: 2.2.4-7 Severity: important User: multiarch-de...@lists.alioth.debian.org Usertags: multiarch vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file is architecture-dependent: /usr/share/vlc/skins2/default.vlt An example diff between i386 and amd64 (generated by diffoscope) is attached. -- Jakub Wilk --- vlc-plugin-skins2_2.2.4-7_amd64/usr/share/vlc/skins2/default.vlt +++ vlc-plugin-skins2_2.2.4-7_i386/usr/share/vlc/skins2/default.vlt ├── default.vlt-content │ ├── file list │ │ @@ -1,12 +1,12 @@ │ │ -drwxr-xr-x 0 sebastian (1000) sebastian (1000)0 2016-06-01 13:33:03.00 default/ │ │ -drwxr-xr-x 0 sebastian (1000) sebastian (1000)0 2016-06-01 13:33:03.00 default/subX/ │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000)33054 2015-02-02 19:42:31.00 default/subX/about.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000)31809 2015-02-02 19:42:31.00 default/subX/eq.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000)24700 2015-02-02 19:42:31.00 default/subX/font.otf │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000)68042 2015-02-02 19:42:31.00 default/subX/main.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000) 7739 2015-02-02 19:42:31.00 default/subX/pl.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000) 101 2015-02-02 19:42:31.00 default/subX/playtreeglyphs.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000) 2245 2015-02-02 19:42:31.00 default/subX/sysbuttons.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000) 2063 2015-02-02 19:42:31.00 default/subX/vol_anim.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000) 73 2015-02-02 19:42:31.00 default/subX/vol_slider.png │ │ --rw-r--r-- 0 sebastian (1000) sebastian (1000)55484 2015-02-02 19:42:31.00 default/theme.xml │ │ +drwxr-xr-x 0 buildd(2952) buildd(2952)0 2016-06-01 13:33:03.00 default/ │ │ +drwxr-xr-x 0 buildd(2952) buildd(2952)0 2016-06-01 13:33:03.00 default/subX/ │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952)33054 2015-02-02 19:42:31.00 default/subX/about.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952)31809 2015-02-02 19:42:31.00 default/subX/eq.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952)24700 2015-02-02 19:42:31.00 default/subX/font.otf │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952)68042 2015-02-02 19:42:31.00 default/subX/main.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952) 7739 2015-02-02 19:42:31.00 default/subX/pl.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952) 101 2015-02-02 19:42:31.00 default/subX/playtreeglyphs.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952) 2245 2015-02-02 19:42:31.00 default/subX/sysbuttons.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952) 2063 2015-02-02 19:42:31.00 default/subX/vol_anim.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952) 73 2015-02-02 19:42:31.00 default/subX/vol_slider.png │ │ +-rw-r--r-- 0 buildd(2952) buildd(2952)55484 2015-02-02 19:42:31.00 default/theme.xml │ ╵ ╵ ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
