#1140552 debrebuild: mmdebstrap builder silently skips dpkg-buildpackage on quoted Environment values

Package:
devscripts
Source:
devscripts
Description:
scripts to make the life of a Debian Package maintainer easier
Submitter:
Serge Schneider
Date:
2026-06-22 16:07:02 UTC
Severity:
normal
Tags:
#1140552#5
Date:
2026-06-22 15:34:02 UTC
From:
To:
Dear Maintainer,

When constructing the mmdebstrap customize hook, debrebuild does not escape
the variables from the .buildinfo file's Environment block. This can result
in
build failures if DEB_BUILD_OPTIONS contains multiple options. It could
also be
used to create a malicious buildinfo file with extra commands added, which
would run in the build environment. The Trixie version of the package is
also affected, but I haven't checked any others.

Single DEB_BUILD_OPTIONS parameter (working):
$ mkdir -p /tmp/debrebuild
$ cd /tmp/debrebuild/
$ wget
https://buildinfos.debian.net/buildinfo-pool/h/hello/hello_2.12.3-1_amd64.buildinfo
$ debrebuild hello_2.12.3-1_amd64.buildinfo --buildresult=./out
--builder=mmdebstrap
./out/ ends up with the correct build files.

Multiple parameters (no build in out/):
Edit hello_2.12.3-1_amd64.buildinfo:

@@ -176,7 +176,7 @@
  xz-utils (= 5.8.3-1),
  zlib1g (= 1:1.3.dfsg+really1.3.2-3)
 Environment:
- DEB_BUILD_OPTIONS="parallel=6"
+ DEB_BUILD_OPTIONS="parallel=6 terse"
  LANG="C.UTF-8"
  LC_COLLATE="C.UTF-8"
  LC_CTYPE="C.UTF-8

$ rm -rf out
$ debrebuild hello_2.12.3-1_amd64.buildinfo --buildresult=./out
--builder=mmdebstrap
./out/ contains a partial build

I've attached a patch that resolves the issue for me.

Kind regards,

Serge
--- /etc/devscripts.conf ---
Empty.

--- ~/.devscripts ---
Not present