Hi! On Mon, 2026-03-30 at 19:57:26 +0200, Guillem Jover wrote: > On Fri, 2026-03-27 at 16:17:02 +0000, Barak A. Pearlmutter wrote: > > Package: dpkg > > Version: 1.23.7
> > ISSUE > > > > What's going on is that the new version of dpkg-deb does a seek on its > > file argument, which fails if it's not a real file. You can see it > > here: > > It would be nice if dpkg-deb would continue to allow a non-seekable > > argument, so my lazy pipe stream trick would continue to work. > > I didn't expect this to break anything!ยน And while I could change the > current check to take into account whether the archive file is a > pipe/socket/fifo and then ignore it when the archive size is 0, my plan > has been to switch the code to perform two passes anyway. One to analyze > the entire ar container for correctness, then perform a seek to extract > the requested member data, because at least for dpkg driving dpkg-deb > there's already a requirement that it cannot use pipes/fifos/sockets > for archives, due to it calling dpkg-deb multiple times (first to > extract the control member then the data member). > > To set correct expectations, my first inclination right now would be to > declare that streaming is not supported. But I'll ponder a bit what it > would take to add support for such "streaming" mode in that new two > pass pre-analysis paradigm, and whether that would make sense, given > the potential security risks, where dpkg-deb is the one tool where it > is supposed to be able to handle untrusted .deb data (see the SECURITY > section in its man page), in contrast to dpkg, where the assumption is > that the archives are trusted. I realized later on, that support for streaming was added and documented after a couple of requests some time ago, and this is being used in other places right now. So I've gone with documenting that if an input is non-seekable then certain robustness/security checks will not take place, and then fixing the current regression and adding some regression tests for streaming input, to avoid this in the future. Will be part of my next push to be included in the next release. Thanks, Guillem
