Dear Maintainer,
When constructing the mmdebstrap customize hook, debrebuild does not escape
the variables from the .buildinfo file's Environment block. This can result
in
build failures if DEB_BUILD_OPTIONS contains multiple options. It could
also be
used to create a malicious buildinfo file with extra commands added, which
would run in the build environment. The Trixie version of the package is
also affected, but I haven't checked any others.
Single DEB_BUILD_OPTIONS parameter (working):
$ mkdir -p /tmp/debrebuild
$ cd /tmp/debrebuild/
$ wget
https://buildinfos.debian.net/buildinfo-pool/h/hello/hello_2.12.3-1_amd64.buildinfo
$ debrebuild hello_2.12.3-1_amd64.buildinfo --buildresult=./out
--builder=mmdebstrap
./out/ ends up with the correct build files.
Multiple parameters (no build in out/):
Edit hello_2.12.3-1_amd64.buildinfo:
@@ -176,7 +176,7 @@
xz-utils (= 5.8.3-1),
zlib1g (= 1:1.3.dfsg+really1.3.2-3)
Environment:
- DEB_BUILD_OPTIONS="parallel=6"
+ DEB_BUILD_OPTIONS="parallel=6 terse"
LANG="C.UTF-8"
LC_COLLATE="C.UTF-8"
LC_CTYPE="C.UTF-8
$ rm -rf out
$ debrebuild hello_2.12.3-1_amd64.buildinfo --buildresult=./out
--builder=mmdebstrap
./out/ contains a partial build
I've attached a patch that resolves the issue for me.
Kind regards,
Serge
--- /etc/devscripts.conf ---
Empty.
--- ~/.devscripts ---
Not present