Bug#841525: vlc-plugin-skins2: arch-dependent file in "Multi-Arch: same" package
Jonas Smedegaard
dr at jones.dk
Fri Oct 21 12:13:31 UTC 2016
Quoting Sebastian Ramacher (2016-10-21 13:25:45)
> On 2016-10-21 13:16:10, Jonas Smedegaard wrote:
> > Quoting Jakub Wilk (2016-10-21 12:52:57)
> > > Package: vlc-plugin-skins2
> > > Version: 2.2.4-7
> > > Severity: important
> > > User: multiarch-devel at lists.alioth.debian.org
> > > Usertags: multiarch
> > >
> > > vlc-plugin-skins2 is marked as "Multi-Arch: same", but the following file is
> > > architecture-dependent:
> > >
> > > /usr/share/vlc/skins2/default.vlt
> > >
> > > An example diff between i386 and amd64 (generated by diffoscope) is attached.
> >
> > The diff seems to reveal the package was not built in a pristine chroot!
>
> No, it doesn't. It just reveals that it was a upload including
> binaries since it had to go through NEW.
>
> The offending code is in share/Makefile.am which creates default.vlt.
Right. Bug is not that content varies (it was created in a shared
makefile, and diff attached to original bugreport also shows identical
_content_). Bug is also not that it was built in a non-pristine
environment - but it is a _hint_ about the underlying bug that the user
"sebastian" is the owner and group for the files in the diff.
It is a real¹ bug that a non-bunNMU package inherits access rights from
the user account where it is built!
It seems that every time you build the package as a non-binNMU it has a
security hole in that a user named "sebastian" in any target system gets
write access to some files intended to be writable only by root!
Likely the fix is to change debian/rules and/or patch upstream install
routines to use "install" with appropriate arguments, instead of "cp".
- Jonas
¹ I suspect that your including the word "just" means that you do not
consider this a serious bug.
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20161021/0c0273cf/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list