Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package

Jonas Smedegaard dr at jones.dk
Fri Oct 21 12:13:31 UTC 2016

Quoting Sebastian Ramacher (2016-10-21 13:25:45)
> On 2016-10-21 13:16:10, Jonas Smedegaard wrote:
> > Quoting Jakub Wilk (2016-10-21 12:52:57)
> > > Package: vlc-plugin-skins2
> > > Version: 2.2.4-7
> > > Severity: important
> > > User: multiarch-devel at lists.alioth.debian.org
> > > Usertags: multiarch
> > > 
> > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file is 
> > > architecture-dependent:
> > > 
> > > /usr/share/vlc/skins2/default.vlt
> > > 
> > > An example diff between i386 and amd64 (generated by diffoscope) is attached.
> > 
> > The diff seems to reveal the package was not built in a pristine chroot!
> No, it doesn't. It just reveals that it was a upload including 
> binaries since it had to go through NEW.
> The offending code is in share/Makefile.am which creates default.vlt.

Right. Bug is not that content varies (it was created in a shared 
makefile, and diff attached to original bugreport also shows identical 
_content_).  Bug is also not that it was built in a non-pristine 
environment - but it is a _hint_ about the underlying bug that the user 
"sebastian" is the owner and group for the files in the diff.

It is a real¹ bug that a non-bunNMU package inherits access rights from 
the user account where it is built!

It seems that every time you build the package as a non-binNMU it has a 
security hole in that a user named "sebastian" in any target system gets 
write access to some files intended to be writable only by root!

Likely the fix is to change debian/rules and/or patch upstream install 
routines to use "install" with appropriate arguments, instead of "cp".

 - Jonas

¹ I suspect that your including the word "just" means that you do not 
consider this a serious bug.

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161021/0c0273cf/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list