Bug#1012195: dpkg: lintian autopkgtest *may* have spotted a regression in security update of dpkg

Tue, 31 May 2022 18:57:16 -0700 

Hi!

On Tue, 2022-05-31 at 22:10:29 +0200, Paul Gevers wrote:
> Source: dpkg
> Version: 1.20.10
> Severity: important

> Our proposed-updates queue [1] show regressions in the autopkgtest of
> lintian with the security version of dpkg. Looking at the logs [2], it
> appears to me that the file permissions of files in the test
> change. If I understand the security issue correctly, I don't think
> that was intended. Again, I may be reading the signs wrong, but I
> suspect you want to have a look.

Hmm, right. We noticed this on the new security queue autopkgtest
infra, and I checked locally and it was reproducible, but for some
reason I disregarded it as not relevant. :/

Perhaps because it was not showing up on lintian's sid test suite (but
just checked now and the test seems to have been removed from there),
and I'm assuming I didn't test against the previous dpkg version. So,
it seems I botched the testing procedure somewhere.

In any case, I think the attached patch fixes this, which during the
days I was preparing the fix this came to mind to take into account,
but I guess I forgot along the way. :/ I'll test this tomorrow against
the older lintian test suite. I guess I'll need to talk with the
security team avoid issuing a security fixup?

Thanks,
Guillem

diff --git i/scripts/Dpkg/Source/Package/V2.pm w/scripts/Dpkg/Source/Package/V2.pm
index 1167625d7..68a967168 100644
--- i/scripts/Dpkg/Source/Package/V2.pm
+++ w/scripts/Dpkg/Source/Package/V2.pm
@@ -218,7 +218,7 @@ sub do_extract {
     # Extract main tarball
     info(g_('unpacking %s'), $tarfile);
     my $tar = Dpkg::Source::Archive->new(filename => "$dscdir$tarfile");
-    $tar->extract($newdirectory, no_fixperms => 1,
+    $tar->extract($newdirectory,
                   options => [ '--anchored', '--no-wildcards-match-slash',
                                '--exclude', '*/.pc', '--exclude', '.pc' ]);
     # The .pc exclusion is only needed for 3.0 (quilt) and to avoid
@@ -239,7 +239,7 @@ sub do_extract {
             erasedir("$newdirectory/$subdir");
         }
         $tar = Dpkg::Source::Archive->new(filename => "$dscdir$file");
-        $tar->extract("$newdirectory/$subdir", no_fixperms => 1);
+        $tar->extract("$newdirectory/$subdir");
     }
 
     # Stop here if debianization is not wanted

Reply via email to