Bug#859761: libdvd-pkg: dpkg-buildpackage fails without libcap2-bin

Fri Apr 7 05:37:34 UTC 2017

Package: libdvd-pkg
Version: 1.4.0-1-2
Severity: normal
Tags: patch

Dear Maintainer,

After installing libdvd-pkg without the recommended libcap2-bin package
also installed, dpkg-reconfigure libdvd-pkg failed as follows:

libvd-pkg: Checking orig.tar integrity...
/usr/src/libdvd-pkg/libdvdcss_1.4.0.orig.tar.bz2: OK
libdvd-pkg: Unpacking and configuring...
libdvd-pkg: Building the package... (it may take a while)
libdvd-pkg: Build log will be saved to
/usr/src/libdvd-pkg/libdvdcss2_1.4.0-1~local_amd64.build
dpkg-buildpackage: error: unknown option or argument
>/usr/src/libdvd-pkg/libdvdcss2_1.4.0-1~local_amd64.build

Use --help for program usage information.

Tracked this down to the following lines inside
/usr/lib/libdvd-pkg/b-i_libdvdcss.sh:

BUILDCMD="dpkg-buildpackage -b -uc >${BUILDLOG} 2>&1"
CAPSH=$(which capsh) \
&& ${CAPSH} --secbits=0x14
--drop=cap_dac_read_search,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog-ep
--print \
    -- -c "${BUILDCMD}" \
|| ${BUILDCMD}

The issue is that when CAPSH doesn't get defined because $(which capsh)
fails, the fallback is for ${BUILDCMD} to be expanded as a command. But
redirects are processed before parameter expansions, so the redirects
inside BUILDCMD end up passed to dpkg-buildpackage as arguments instead
of doing what they're supposed to.

Replacing the CAPSH= command line with the following fixes the issue:

CAPSH="$(which capsh) --secbits=0x14
--drop=cap_dac_read_search,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog-ep
--print --" || CAPSH=/bin/bash
${CAPSH} -c "${BUILDCMD}"

That way, BUILDCMD always gets passed to /bin/bash as a complete command
line so its embedded redirects will work whether capsh exists or not.

Having CAPSH fall back to /bin/sh also works, but the docs for capsh
explicitly specify /bin/bash as the shell its -- option invokes, so
using it for the fallback seems like the Right Thing.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libdvd-pkg depends on:
pn  build-essential        <none>
ii  debconf [debconf-2.0]  1.5.60
pn  debhelper              <none>
pn  dh-autoreconf          <none>
ii  wget                   1.18-5

Versions of packages libdvd-pkg recommends:
ii  libcap2-bin  1:2.25-1

libdvd-pkg suggests no packages.

-- debconf information:
  libdvd-pkg/upgrade:
* libdvd-pkg/build: true
* libdvd-pkg/post-invoke_hook-remove: false
* libdvd-pkg/post-invoke_hook-install: true
  libdvd-pkg/title_b-i:
  libdvd-pkg/title_u:
* libdvd-pkg/first-install: