During my work on the Debian derivatives census (generating patches for
all derivatives), I came across this package:

http://packages.bosslinux.in/boss/pool/savir/main/e/exe/exe_1.04.1.3602-boss1.dsc

I made a copy of it here in case it disappears:

http://people.debian.org/~pabs/tmp/exe_1.04.1.3602-boss1.dsc

This is a format 1.0 native package where the debian/ directory is an
absolute symlink to outside the package:

lrwxrwxrwx  1 pabs Debian      49 Oct 12 16:27 debian -> /root/Desktop/exe/exe/installs/debian/boss/debian

When I try to unpack this package, I get this error:

dpkg-source: warning: extracting unsigned source package (/tmp/derivs-cmp-srcpkg-BOSSlinux-ErZzbJ/exe_1.04.1.3602-boss1.dsc)
dpkg-source: info: extracting exe in /tmp/derivs-cmp-srcpkg-BOSSlinux-ErZzbJ/extracted
dpkg-source: info: unpacking exe_1.04.1.3602-boss1.tar.gz
dpkg-source: error: cannot stat /tmp/derivs-cmp-srcpkg-BOSSlinux-ErZzbJ/extracted/debian/rules: Permission denied

The resulting extraction directory still exists despite this failure.

On a different system where /root was world readable, the error was
replaced with a warning:

dpkg-source: warning: extracting unsigned source package (exe_1.04.1.3602-boss1.dsc)
dpkg-source: info: extracting exe in exe-1.04.1.3602
dpkg-source: info: unpacking exe_1.04.1.3602-boss1.tar.gz
dpkg-source: warning: exe-1.04.1.3602/debian/rules does not exist

I see several problems with this...

When there is an error I would expect dpkg-source to clean up after
itself, probably a --no-cleanup option needs adding though for people
wanting to debug why the extraction failed.

I don't understand why dpkg-source needs to look at debian/rules at all.

And more fundamentally, dpkg-dev should never extract or follow symlinks
that point outside the source package. That includes all absolute ones
and any relative ones with too many .. in their link target. Even if
dpkg-source doesn't write to them during unpack, they could have some
other impact on the user's system if they access them thinking that
since Debian source packages are self-contained they should be safe.

This issue seems to be present in both squeeze and wheezy. I did not
test if the issue is present in lenny.

I don't see the immediate need for this. It does this with temporary
files/dirs that it uses for example when it builds a package. But I don't
see why it should do this for non-temporary files...

To make it executable.

dpkg-source delegates extraction to tar. It can't easily cherry-pick
what to extract...

dpkg-source already has code to not extract new/supplementary files
over already unpacked symlinks so that unpacking a source package can't
write files outside of the newly created directory.

What kind of bad impact do you expect ? The worst I can imagine is
something like "chmod -R" changing rights but apparently "chmod -R"
already ignores symlinks by default.

We should still do something to avoid chmodding() a file outside of the
unpacked source tree but I don't know whether it's just ensuring that
debian and debian/rules are not symlinks, or a more heavy analyzis to get
rid of all symlinks pointing outside of the source package.

Cheers,

Well, either that or delete the unsafe symlinks and issue a warning.

At first glance that seems like a security vulnerability, since it could
allow an attacker to make an arbitrary file/dir executable.

For the trivial case (if debian/rules is an unsafe symlink), I see that
dpkg-source is not vulnerable to this issue. I didn't check any cases
involving debian/ being an unsafe symlink, but I think that dpkg-source
should check for that too.

pabs@chianamo ~/tmp/foo $ ls -l ~/foo
-rw------- 1 pabs pabs 0 Feb 12 09:27 /home/pabs/foo
pabs@chianamo ~/tmp/foo $ dpkg-source -x foo_0.1.dsc
dpkg-source: warning: extracting unsigned source package (foo_0.1.dsc)
dpkg-source: info: extracting foo in foo-0.1
dpkg-source: info: unpacking foo_0.1.tar.gz
dpkg-source: warning: foo-0.1/debian/rules is not a plain file
pabs@chianamo ~/tmp/foo $ ls -l ~/foo
-rw------- 1 pabs pabs 0 Feb 12 09:27 /home/pabs/foo
pabs@chianamo ~/tmp/foo $ ls -l foo-0.1/debian/rules
lrwxrwxrwx 1 pabs pabs 14 Feb 12 09:27 foo-0.1/debian/rules -> /home/pabs/foo

I do note that debuild -S does change the permissions though, of course
it also runs debian/rules clean, which would always execute arbitrary
code so I guess that is safe if a bit weird.

Personally I would suggest that dpkg-source should error out or warn
when building a source package containing links to outside the source
package, since the resulting symlink will likely be invalid on systems
consuming the source package.

pabs@chianamo ~/tmp/foo $ ls -l ~/foo
-rw------- 1 pabs pabs 0 Feb 12 09:27 /home/pabs/foo
pabs@chianamo ~/tmp/foo $ ls -l foo-0.1/debian/rules
lrwxrwxrwx 1 pabs pabs 14 Feb 12 09:27 foo-0.1/debian/rules -> /home/pabs/foo
pabs@chianamo ~/tmp/foo $ cd foo-0.1/
pabs@chianamo ~/tmp/foo/foo-0.1 $ debuild -S
 dpkg-buildpackage -rfakeroot -d -us -uc -j4 -i -ICVS -I.svn -S
dpkg-buildpackage: source package foo
dpkg-buildpackage: source version 0.1
dpkg-buildpackage: source changed by Paul Wise <pabs@debian.org>
 dpkg-source -i -ICVS -I.svn --before-build foo-0.1
 fakeroot debian/rules clean
 dpkg-source -i -ICVS -I.svn -b foo-0.1
dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1)
dpkg-source: info: using source format `1.0'
dpkg-source: info: building foo in foo_0.1.tar.gz
dpkg-source: warning: missing information for output field Standards-Version
dpkg-source: info: building foo in foo_0.1.dsc
 dpkg-genchanges -S >../foo_0.1_source.changes
dpkg-genchanges: warning: missing Section for source files
dpkg-genchanges: including full source code in upload
 dpkg-source -i -ICVS -I.svn --after-build foo-0.1
dpkg-buildpackage: source only upload: Debian-native package
pabs@chianamo ~/tmp/foo/foo-0.1 $ ls -l ~/foo
-rwxr-xr-x 1 pabs pabs 0 Feb 12 09:27 /home/pabs/foo*

I see, you could definitely do some checks after the fact though?

You can't know what kind of commands a user or script will run on an
unpacked source tree or whether the commands/script they are running is
written with security in mind or not. Practising defence in depth is
always a good idea, especially where people usually are not thinking
about security issues, which I very much doubt is happening when people
are processing source code in some way.

As an example, say people are automatically using a source code checker,
pretty-printer or comparison, automatically dumping output to the web.
Presumably that would follow symlinks, maybe resulting in a nasty
package causing arbitrary file leakage (think SSH private keys,
proprietary source code, whatever).

dpkg-source should definitely check both debian/ and debian/rules for
unsafe symlinks before doing the chmod +x.

I would also recommend removing any absolute or relative symlinks that
point outside of the unpacked source tree and issuing a warning if there
are any such unsafe symlinks.

Alternatively you could fail noisily if there are any unsafe symlinks at
all and delete the unpacked source tree.

I stumbled across this bug.

Paul writes:

I agree with this.

Raphaël writes:

It could search the tree for bad links after extraction but before
exiting status 0.

Or we could request that tar grow an option like rsync's --safe-links.

Ian.

Hello,

Good morning,

We have gone through your samples from a partner and Here is our  Order
List. Please do bear in mind that we are very much in  need of this
order, quote your competitive prices.

Kindly send the Order confirmation.

Your early reply will be much appreciated.

Best Regards,

Maryanah Erwin.

PT FINDORA INTERNUSA

Jln Pahlawan 66 Kec. Arjawinangun

45162 CIREBON West-Java INDONESIA

tel : +62 231 357334

fax: +62 231 357260

email: marketing@findora.com