lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 28 Nov 2017 09:41:56 +0100
From:   Henning Schild <henning.schild@...mens.com>
To:     Jim Davis <jim.epost@...il.com>
Cc:     linux-kernel <linux-kernel@...r.kernel.org>,
        Ben Hutchings <ben.hutchings@...ethink.co.uk>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Michal Marek <michal.lkml@...kovi.net>,
        linux-kbuild <linux-kbuild@...r.kernel.org>,
        Konrad Schwarz <konrad.schwarz@...mens.com>
Subject: Re: [PATCH] builddeb: introduce variables for control-file
 customization

Am Mon, 27 Nov 2017 16:57:58 -0700
schrieb Jim Davis <jim.epost@...il.com>:

> On Mon, Nov 27, 2017 at 9:13 AM, Henning Schild
> <henning.schild@...mens.com> wrote:
> > The debian packages coming out of "make *deb-pkg" lack some critical
> > information in the control-files e.g. the "Depends:" field. If one
> > tries to install a fresh system with such a "linux-image"
> > debootstrap or multistrap might try to install the kernel before
> > its deps and the package hooks will fail.  
> 
> Has that shown up in practice?  The builddeb script goes back some
> years now...

Yes it has, i came across this issue with a multistrap-based installer.
The kernel got picked as one of the first packages. Without explicit
deps i can only assume that deboostrap should be affected as well.
Maybe it processes the package-tree in another order and happens to
work by chance.
My guess is that most people use the builddeb script to install
additional kernels on a running system, so the missing deps never
showed.

That said, the patch would allow for much more customization than just
adding deps. But others might want to customize the other fields as
well.

> > +       eval 'create_package "$kernel_headers_packagename" \
> > +               "$kernel_headers_dir"' "$KDEB_OPTS_IMAGE_HEADERS"  
> 
> eval in a shell script with arbitrary input can lead to shenanigans
> like
> 
> make bindeb-pkg KDEB_OPTS_IMAGE_HEADERS="; echo All your base"
> 
> and other potentially nastier things.  Probably not an issue for a
> typical kernel developer sitting in front of his or her laptop, but if
> I ran a big automated unattended build farm I might prefer a non-eval
> alternative.

True. As you said, that might not be an issue for most people. Let us
discuss the general approach first. If we agree on applying such a
patch and others also raise this issue we might find an implementation
without the eval.
That is a first shot that can handle the kinds of strings one might
want to pass to dpkg-gencontrol. (spaces, pipes and multiple options).

Henning

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ