Bug#847221: debsums: false positive missing file in open-vm-tools-desktop package - encoding issue?

Niko Tyni ntyni at debian.org
Tue Dec 6 16:47:42 UTC 2016 

On Tue, Dec 06, 2016 at 04:35:57PM +0100, Andreas Beckmann wrote:
> Package: debsums
> Version: 2.1.3
> Severity: important

> open-vm-tools-desktop contains a file with a 'interesting' name:
> 
>   /lib/systemd/system/run-vmblock\x2dfuse.mount
> 
> and debsums reports that the file is missing although it exists in the
> file system:
> 
>   # debsums -ac
>   debsums: missing file /lib/systemd/system/run-vmblock\\x2dfuse.mount (from open-vm-tools-desktop package)
> 
>   # ls -la '/lib/systemd/system/run-vmblock\x2dfuse.mount' 
>   -rw-r--r-- 1 root root 460 Nov 16 02:35 /lib/systemd/system/run-vmblock\x2dfuse.mount
> 
> Maybe the backslash has been escaped once too much?

It's doubly escaped in the md5sums database:

  # grep run-vm /var/lib/dpkg/info/open-vm-tools-desktop.md5sums 
  dde14951417e0e9f73b80f871e6540d1  lib/systemd/system/run-vmblock\\x2dfuse.mount

There's background in #843163. It looks like this is due to this feature
of GNU md5sum (from coreutils.info):

  If FILE contains a backslash or newline, the line is started with a
  backslash, and each problematic character in the file name is escaped
  with a backslash, making the output unambiguous even in the presence
  of arbitrary file names.

Indeed:

  # md5sum /lib/systemd/system/run-vmblock*
  \dde14951417e0e9f73b80f871e6540d1  /lib/systemd/system/run-vmblock\\x2dfuse.mount

I see src:open-vm-tools fiddles with the entry in debian/rules,
removing the first backslash at the start of the line but not
touching the doubled one.  This seems to be wrong. While the result
does pass 'dpkg --verify', it only does so because the file name
doesn't match: if I manually change the checksum to a wrong one in
/var/lib/dpkg/info/open-vm-tools-desktop.md5sums, 'dpkg --verify' stays
happy. If I remove the double backslash, wrong checksums start to get
detected properly.

So it looks to me like the workaround in open-vm-tools should be fixed
to remove the double backslash, at which point both 'dpkg --verify'
and debsums will work?
-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list