Bug#998335: debsums: fails to handle files with spaces

Tue Nov 2 15:52:43 GMT 2021

Package: debsums
Version: 3.0.2
Severity: normal

Dear Maintainer,

I get a false positive in debsums on a file with a space in the filename:

# debsums -a homegear-zigbee | grep bbaa
debsums: missing file /etc/homegear/devices/26/bbaaPlug (from homegear-zigbee package)
# grep bbaa /var/lib/dpkg/info/homegear-zigbee.list 
/etc/homegear/devices/26/bbaaPlug 013.xml
# grep bbaa /var/lib/dpkg/info/homegear-zigbee.conffiles
/etc/homegear/devices/26/bbaaPlug 013.xml
# ll /etc/homegear/devices/26/bbaaPlug*
-rw-r--r-- 1 root root 12178 Okt  9 17:14 '/etc/homegear/devices/26/bbaaPlug 013.xml'
# dpkg-query -L homegear-zigbee |grep bbaa
/etc/homegear/devices/26/bbaaPlug 013.xml

Note that debsums reports a missing file "bbaaPlug", not "bbaaPlug 013.xml".
dpkg-query, on the other hand, correctly lists the filename.
Next, I tried to check it it is really the space that causes the problem:

# cp /etc/homegear/devices/26/bbaaPlug\ 013.xml /etc/homegear/devices/26/bbaaPlug
# debsums -a homegear-zigbee | grep bbaa
dpkg-query: no path found matching pattern /etc/homegear/devices/26/bbaaPlug

That's strange, I cannot explain that output. After some digging, I found /var/lib/dpkg/status.
And there we have:
# grep /etc/homegear/devices/26/bbaaPlug /var/lib/dpkg/status
 /etc/homegear/devices/26/bbaaPlug 013.xml 77462256c1635499de5b2ba4498243ad

I then altered the .list and .conffile

# grep bbaa /var/lib/dpkg/info/homegear-zigbee.list /var/lib/dpkg/info/homegear-zigbee.conffiles
/var/lib/dpkg/info/homegear-zigbee.list:/etc/homegear/devices/26/bbaaPlug
/var/lib/dpkg/info/homegear-zigbee.conffiles:/etc/homegear/devices/26/bbaaPlug

# dpkg-query -L homegear-zigbee |grep bbaa
/etc/homegear/devices/26/bbaaPlug

# /usr/bin/debsums -ex homegear-zigbee 
debsums: changed file /etc/homegear/devices/26/bbaaPlug (observed:77462256c1635499de5b2ba4498243ad expected:013) (from homegear-zigbee package)

It seems that debsums does not process the status file correctly. It is confused by the space
in the filename and takes the part after the space as md5sum. In order to verify, I tried to
escape the space in the status file. I tried to quote the whole filename with " or ', or
escape the space with "\ " but to no avail. It really seems that debsums cannot handle spaces
while processing the status file.

I tried to fix it myself, but I'm not sure if this is correct:

--- /usr/bin/debsums.orig	2021-11-02 15:34:32.689829644 +0100
+++ /usr/bin/debsums	2021-11-02 16:49:18.669901591 +0100
@@ -264,7 +264,7 @@
             $package_name{$field{"Package"}} = $field{"binary:Package"};
         }
         $installed{$field{"binary:Package"}}{Conffiles} = {
-            map m!^\s*/(\S+)\s+([\da-f]+)!,
+            map m!^\s*/(.+)\s+([\da-f]+)!,
                 grep { not ($ignore_obsolete and / obsolete$/) }
                 split /\n/, $field{Conffiles}
         } if $field{Conffiles};


-- System Information:
Debian Release: 11.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debsums depends on:
ii  libdpkg-perl          1.20.9
ii  libfile-fnmatch-perl  0.02-2+b8
ii  perl                  5.32.1-4+deb11u2
ii  ucf                   3.0043

debsums recommends no packages.

Versions of packages debsums suggests:
ii  bash-completion  1:2.11-2

-- debconf information:
* debsums/croncheck: never
* debsums/apt-autogen: true

