Bug#847221: debsums: false positive missing file in open-vm-tools-desktop package - encoding issue?
Niko Tyni
ntyni at debian.org
Tue Dec 6 16:47:42 UTC 2016
On Tue, Dec 06, 2016 at 04:35:57PM +0100, Andreas Beckmann wrote:
> Package: debsums
> Version: 2.1.3
> Severity: important
> open-vm-tools-desktop contains a file with a 'interesting' name:
>
> /lib/systemd/system/run-vmblock\x2dfuse.mount
>
> and debsums reports that the file is missing although it exists in the
> file system:
>
> # debsums -ac
> debsums: missing file /lib/systemd/system/run-vmblock\\x2dfuse.mount (from open-vm-tools-desktop package)
>
> # ls -la '/lib/systemd/system/run-vmblock\x2dfuse.mount'
> -rw-r--r-- 1 root root 460 Nov 16 02:35 /lib/systemd/system/run-vmblock\x2dfuse.mount
>
> Maybe the backslash has been escaped once too much?
It's doubly escaped in the md5sums database:
# grep run-vm /var/lib/dpkg/info/open-vm-tools-desktop.md5sums
dde14951417e0e9f73b80f871e6540d1 lib/systemd/system/run-vmblock\\x2dfuse.mount
There's background in #843163. It looks like this is due to this feature
of GNU md5sum (from coreutils.info):
If FILE contains a backslash or newline, the line is started with a
backslash, and each problematic character in the file name is escaped
with a backslash, making the output unambiguous even in the presence
of arbitrary file names.
Indeed:
# md5sum /lib/systemd/system/run-vmblock*
\dde14951417e0e9f73b80f871e6540d1 /lib/systemd/system/run-vmblock\\x2dfuse.mount
I see src:open-vm-tools fiddles with the entry in debian/rules,
removing the first backslash at the start of the line but not
touching the doubled one. This seems to be wrong. While the result
does pass 'dpkg --verify', it only does so because the file name
doesn't match: if I manually change the checksum to a wrong one in
/var/lib/dpkg/info/open-vm-tools-desktop.md5sums, 'dpkg --verify' stays
happy. If I remove the double backslash, wrong checksums start to get
detected properly.
So it looks to me like the workaround in open-vm-tools should be fixed
to remove the double backslash, at which point both 'dpkg --verify'
and debsums will work?
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list