Dear Guillem,

Our proposed-updates queue [1] show regressions in the autopkgtest of
lintian with the security version of dpkg. Looking at the logs [2], it
appears to me that the file permissions of files in the test
change. If I understand the security issue correctly, I don't think
that was intended. Again, I may be reading the signs wrong, but I
suspect you want to have a look.

Paul

# Tags do not match
#
# --- ../../autopkgtest_tmp/build-and-evaluate-test-packages/eval/checks/files/permissions/legacy-scripts/tags.specified.calibrated
# +++ ../../autopkgtest_tmp/build-and-evaluate-test-packages/eval/checks/files/permissions/legacy-scripts/tags.actual.parsed
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  777 tkfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  777 gccbug.dpatch
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  777 envfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 xsession-test
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 wishfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 suidperlfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 sh-broken
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 rubyfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 phpfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 phpenvfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 perlfoo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 perl-bizarre-3
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 perl-bizarre-2
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 perl-bizarre-1
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 make-foo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 lefty-foo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 jruby-broken
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 init-skeleton
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 init-no-lsb
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 init-lsb-other
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 init-lsb-broken
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 guile-bizarre
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 fish-foo
# -scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  666 csh-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  755 tkfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  755 gccbug.dpatch
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  755 envfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 xsession-test
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 wishfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 suidperlfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 sh-broken
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 rubyfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 phpfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 phpenvfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 perlfoo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 perl-bizarre-3
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 perl-bizarre-2
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 perl-bizarre-1
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 make-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 lefty-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 jruby-broken
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 init-skeleton
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 init-no-lsb
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 init-lsb-other
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 init-lsb-broken
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 guile-bizarre
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 fish-foo
# +scripts (source): octal-permissions scripts_6ds-1ubuntu0.5.10.1.dsc  644 csh-foo
#


[1] https://release.debian.org/proposed-updates/stable.html
[2] https://ci.debian.net/data/autopkgtest/stable/amd64/l/lintian/22228243/log.gz

Hi!

Hmm, right. We noticed this on the new security queue autopkgtest
infra, and I checked locally and it was reproducible, but for some
reason I disregarded it as not relevant. :/

Perhaps because it was not showing up on lintian's sid test suite (but
just checked now and the test seems to have been removed from there),
and I'm assuming I didn't test against the previous dpkg version. So,
it seems I botched the testing procedure somewhere.

In any case, I think the attached patch fixes this, which during the
days I was preparing the fix this came to mind to take into account,
but I guess I forgot along the way. :/ I'll test this tomorrow against
the older lintian test suite. I guess I'll need to talk with the
security team avoid issuing a security fixup?

Thanks,
Guillem

Hi,

In fact I think this regression can be included as fix in the upcoming
point releases if SRM agree, and so avoid an out of order dpkg update
again to fix this rather edge-case regression (and instread batch it
with other updates for the point releases).

Did you found time already for fixes? The bullseye 11.4 point release
has now been settled for the July 9th, with freezing the upload window
the preceeding weekend.

Thank you Guillem for your work!

Regards,
Salvatore

Yes, was planning to do that after uploading this fix to unstable. But
got sick and was not able to do much.

I'll try to finish this up for today, and send a proposal for a stable
update once this hits unstable.

Thanks,
Guillem

Hi!

Bug #1012195 in package dpkg reported by you has been fixed in
the dpkg/dpkg.git Git repository. You can see the changelog below, and
you can check the diff of the fix at:

https://git.dpkg.org/cgit/dpkg/dpkg.git/diff/?id=52d285fec
The change to fix the directory traversal for source package unpacks
with in-place extractions of the debian.tar archive modified the way
that last extraction was done, to extract it also out-of-place, then
move the result into the destination. This had the consequence of
no longer fixing the permissions for the entire source tree, and instead
only for the debian/ directory. The previous calls for the orig tarballs
were not fixing up the permissions to avoid duplicating work, which
meant that now these did not get fixed any longer.

Remove the options that avoid fixing the permissions for all calls,
restoring the previous behavior.

Fixes: commit 7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
Closes: #1012195
Stable-Candidates: 1.18.x 1.19.x 1.20.x

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012195@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 01 Jul 2022 11:25:58 +0200
Source: dpkg
Architecture: source
Version: 1.21.9
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Closes: 1008780 1011510 1012195
Changes:
 dpkg (1.21.9) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * dpkg-deb: Add support for --threads-max and DPKG_DEB_THREADS_MAX.
     Prompted by vv221 on IRC.
   * Perl modules:
     - Dpkg::Source::Package::V2: Always fix the permissions for upstream
       tarballs. Closes: #1012195
     - Dpkg::BuildFlags: Document optimize feature area.
   * Documentation:
     - man: Clarify that statoverrides do not need to be known to dpkg.
       Closes: #1011510
     - man: Expand Protected and Essential field use cases. Closes: #1008780
     - doc: Rename frontend.txt to frontend-api.txt.
     - doc: Move specifications under doc/spec.
     - man: Add references to rootless-builds.txt spec.
   * Code internals:
     - libdpkg: Refactor command actions for compression.
   * Build system:
     - Split the test-runner into its own script.
 .
   [ Helge Kreutzmann ]
   * Localization:
     - Update German man pages translation.
     - Update German scripts translation.
Checksums-Sha1:
 1db8f983845fafe1ba6042a60535f6a4e81c7b5e 2120 dpkg_1.21.9.dsc
 eb585b54cbadbe20af148425bd023d3954567ae2 5084044 dpkg_1.21.9.tar.xz
 d748d8dc644612cfe8b4bfa3c3d32fb8dc7354e3 7892 dpkg_1.21.9_amd64.buildinfo
Checksums-Sha256:
 065ee6146fecf372c587fd6f2083cda8704f9b3e20d1816f0972307cdee0c0ac 2120 dpkg_1.21.9.dsc
 a0aba375625459260cbc89933a12b3188a713c840e3aaefc14bf2d9adee19642 5084044 dpkg_1.21.9.tar.xz
 92e31c720f98fc277dd49fff2d5c7216cc217453bf95b699cd6e382135ea8cb7 7892 dpkg_1.21.9_amd64.buildinfo
Files:
 4b652dc6d6548075ea3c511e6ca6c96e 2120 admin required dpkg_1.21.9.dsc
 15bc7cc25cc5afd546d3d06755248878 5084044 admin required dpkg_1.21.9.tar.xz
 e32381a2416d0e2e4f6eaa80be797a8d 7892 admin required dpkg_1.21.9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmK+wCYACgkQuXK/PqSu
V6NLzhAAoB6uS3XqUibxg/b++OypG5NVXN72xtB6Zw1kWmklu2voLtsdbbz7yLJ0
H/1DwYWi5lEntl1P+8FAY4IJfMxayJjbJuqwsEQaZ0RwmtZIiafhgdKFpIy+CRtT
Gwj1KO3R05WiACtW8E5Hzp1gDJIkoVoaVKRKz1wiF7CAJW+Sl1WSsRtKXFz6W0l3
sV+HRn9Vn6L8BNv1aU5eZFzJoZYGTtlQhG5m7VVzKPyim7abwdrNx0m97tkPACAl
m5cZaDdmhE9meDNmRQ1pJidQf/OZIa7HzdrY9kss++nbZ/Wms9LfIV8PILS0x5A9
jsmSWVkeuUWmcZST2ydDtwxFnvXtUQgkH3J5y7qyyA3KeQ28QUZxH2+gW1HlzJzS
q2cuM98uszVo/w2Ri4OZco9qtVGP8z6v3yUkwicTMjk0kg/xG/tiVBoLLzX8lgL0
4PvXCTG3bQ8rVv5AHfg5JvEfmqUMpTABOsvx1GIkuav9dtSwLSi6xevhyqe06RrK
IHKxszEoW0qWwEi5+jvwtD0HdvOG7Gj//j5q/hzVhCI4xLO+ipok+Uc1gHyvnuhC
lyrLT3g8pc2v4plNS7inTCxyUWZnKZf/s4tPBy1qpS8vDJtUCMMMkrJ41KixlCHP
IY3xMFEFWpLlU/mATeLW+iTwxpWpDl+WCVU6C+JgJJ452eYbaBs=
=iHOG
-----END PGP SIGNATURE-----

Hi!

Bug #1012195 in package dpkg reported by you has been fixed in
the dpkg/dpkg.git Git repository. You can see the changelog below, and
you can check the diff of the fix at:

https://git.dpkg.org/cgit/dpkg/dpkg.git/diff/?id=67096dd4b
The change to fix the directory traversal for source package unpacks
with in-place extractions of the debian.tar archive modified the way
that last extraction was done, to extract it also out-of-place, then
move the result into the destination. This had the consequence of
no longer fixing the permissions for the entire source tree, and instead
only for the debian/ directory. The previous calls for the orig tarballs
were not fixing up the permissions to avoid duplicating work, which
meant that now these did not get fixed any longer.

Remove the options that avoid fixing the permissions for all calls,
restoring the previous behavior.

Fixes: commit 7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
Closes: #1012195
Stable-Candidates: 1.18.x 1.19.x 1.20.x
(cherry picked from commit 52d285fecbec8ba3cbd8255ef4de2be392d1e0de)

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1012195@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 02 Jul 2022 05:08:46 +0200
Source: dpkg
Architecture: source
Version: 1.20.11
Distribution: bullseye
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Closes: 1004372 1012195
Changes:
 dpkg (1.20.11) bullseye; urgency=medium
 .
   [ Guillem Jover ]
   * dpkg-deb: Fix unexpected end of file conditions on .deb extract.
   * libdpkg: Do not restrict source:* virtual fields to installed packages.
     Closes: #1004372
   * Perl modules:
     - Dpkg::Source::Package::V2: Always fix the permissions for upstream
       tarballs. Closes: #1012195
   * Build system:
     - Build gitlab CI images for bullseye instead of sid.
Checksums-Sha1:
 7416c5537e991456d1f26c5ffe4dcf43295e2411 2124 dpkg_1.20.11.dsc
 ed83da7c2f768f95129dc1ee4b6883d4220e266d 5003992 dpkg_1.20.11.tar.xz
 42cc1b07ed0d90a05ee2758763767ac39729bf7a 7984 dpkg_1.20.11_amd64.buildinfo
Checksums-Sha256:
 2530d21c90639193a365be1ab9db05b7ee15c148219488d9b553724219ceb429 2124 dpkg_1.20.11.dsc
 da7b28a56a103db23326bfc0dfa5a104286af5527aed9ca1b865ef1b4217c0c3 5003992 dpkg_1.20.11.tar.xz
 6c6b685e77ea71c8ecfefa44d0c35914913ccd123863b0dde0e6c0daa66603fd 7984 dpkg_1.20.11_amd64.buildinfo
Files:
 eb9d22540c47db5028d0ee890e9a725c 2124 admin required dpkg_1.20.11.dsc
 64a41af5b0ef1565bf4bcc0aa3591788 5003992 admin required dpkg_1.20.11.tar.xz
 12013199a33ef99c806e67a1ba6799c5 7984 admin required dpkg_1.20.11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmK/uT4ACgkQuXK/PqSu
V6MolhAAuHLVIBziizcG38KZIcQlCvzHbCKJbpLiKAAvKzAIy4xvj+W90+AovLQh
1oDbwR68i2NWn8PON1jstLUuuPtVenrcnCt0QEe4Z91+51as2MdYsf5cACwj7HfR
TRfDYk8pqoInJzBHWpO5OEWVbEWdPRjlhg5wxDeLR/+E9vm+QkvxcaIAZcNMhoS3
Mvy9gF6JIdnIgu6bktomN3NlOYWiTDMIF+XbHkxJZFR6Zp3bdoNqz6ezFmhJjkKK
KJ8TOMVDCmTkYh9Ac0Q4wMkRGgc4Ybd/WgG+31k4nI98FL47pG5Q7hauuS5DbnKj
Hpj0gJj0wFk3X9J2/8UkjMqBRyVSkUCgr0mnxRC9B1i4heHT+Is1vEddN2q6qYYl
rvRUSG9WplMYaXU3Kih3ov/6tBT24ctmZzzTl37TKtoFnMD50PNBe81TM7GZPILa
rB/hC5yd1YxYWB1qCJnwyvJ0B8UeZPa8AJXy80zMtn6KB/4EFOVGKSAwb6jxWnwc
fL5Lay4423OtVmnf3L0aK1qUAi98bXORGWe7wc/vb6nf9C8YCC76bkEDx88yZ4iR
au4HLVKK7vc6zXAlCIOisVBIXGnMcH0N+ST1Mh/T6GoapkUzALAwLzAujLC5ewcv
sFhxUl4/aOfoxdFpNDvTc6UM+xzvwk0d4cbhMGXFiGR4VMPXu2A=
=DpS3
-----END PGP SIGNATURE-----

Hi!

Bug #1012195 in package dpkg reported by you has been fixed in
the dpkg/dpkg.git Git repository. You can see the changelog below, and
you can check the diff of the fix at:

https://git.dpkg.org/cgit/dpkg/dpkg.git/diff/?id=36fa3e37b
The change to fix the directory traversal for source package unpacks
with in-place extractions of the debian.tar archive modified the way
that last extraction was done, to extract it also out-of-place, then
move the result into the destination. This had the consequence of
no longer fixing the permissions for the entire source tree, and instead
only for the debian/ directory. The previous calls for the orig tarballs
were not fixing up the permissions to avoid duplicating work, which
meant that now these did not get fixed any longer.

Remove the options that avoid fixing the permissions for all calls,
restoring the previous behavior.

Fixes: commit 7a6c03cb34d4a09f35df2f10779cbf1b70a5200b
Closes: #1012195
Stable-Candidates: 1.18.x 1.19.x 1.20.x
(cherry picked from commit 52d285fecbec8ba3cbd8255ef4de2be392d1e0de)