#759174 iso-scan: possible troubles with ISO images with spaces in their full pathname

#759174#5
Date:
2011-09-07 10:57:14 UTC
From:
To:
This bug was originally reported in
https://bugs.launchpad.net/ubuntu/+source/iso-scan/+bug/838720 by
Sylvain Dansereau.

It seems that an unescaped $dir in debian/iso-scan.postinst makes
iso-scan exit while searching for iso images, if a folder name
contains spaces.

line 165:
isolist=$(find $dir $opt -name "*.iso" -o -name "*.ISO" 2>/dev/null)

#759174#10
Date:
2013-05-17 18:04:45 UTC
From:
To:
This bug is still present in debian wheezy using iso-scan 1.43
#759174#15
Date:
2013-12-29 13:59:05 UTC
From:
To:
Hello,

Trečiadienis 07 Rugsėjis 2011 11:57:14 rašė:

The patch is attached. I have been hit by this today and have spent hours
trying to understand what was going on.

#759174#22
Date:
2014-03-17 06:34:14 UTC
From:
To:
The patch is a simple fix, and should be applied with urgency. It will also
fix some other bugs

628991@bugs.debian.org
https://bugs.launchpad.net/ubuntu/+source/iso-scan/+bug/838720

Frans Pop seems to have noticed this in bug 440301 and thought he fixed it
in 2007:

#759174#27
Date:
2014-04-12 01:44:46 UTC
From:
To:
I attached a patched debian-installer (1.43 plus just adding quotes around
$dir in the iso-scan find statement). This used localudebs, so should not
be used for official purposes.

#759174#32
Date:
2014-05-26 19:28:07 UTC
From:
To:
Just lost 2 evenings debugging, the bug present in latest debian-installer "hd-media", "net-boot" and in separate package iso-scan (1.43+deb7u1).
Guys, just fix it also in production, please.

#759174#37
Date:
2014-06-30 08:08:09 UTC
From:
To:
Hi,

I just stumbled over this bug as it is still not fixed in the hd-media initrd.gz.

I have tried wheezy, jessie and sid, manually patching initrd.gz (with the patch
mentioned by Chris Tillman) made everything working again.

I suppose a lot of users can hit this bug, since a space in any path on any mountable
FS will cause this bug to trigger on installation and the error and error message
are rather cryptic.

Since the fix is already known for quite some time, limited in scope and very
obviously correct, *please* fix this ASAP in all the installation media, this
could very well hinder Debian adoption since installation fails early for no apparent
reason.

Thanks,

Sander

#759174#42
Date:
2014-07-07 01:56:21 UTC
From:
To:
Hi Modestas,

Modestas Vainius <modax@debian.org> (2013-12-29):

thanks for the patch but I'm not convinced, see below:

This part is certainly OK; at least I can't think of a reason why that
wouldn't be a good thing.

but then that means we're possibly going to fail here. Example:

kibi@wodi:~/isos$ ls */
baz/:
baz.iso

foo bar/:
foobar.iso
kibi@wodi:~/isos$ isolist=$(find "$dir" $opt -name "*.iso" -o -name
"*.ISO" 2>/dev/null)
kibi@wodi:~/isos$ for iso in $isolist; do echo "Found ISO $iso"; done
Found ISO ./foo
Found ISO bar/foobar.iso
Found ISO ./baz/baz.iso


I guess it would make sense to fix this for real instead of hiding it a
bit further. Unfortunately 4am isn't a great time to set up a reproducer
and to keep on hacking. :/

(Also, sorry for the lag.)

Mraw,
KiBi.

#759174#49
Date:
2014-08-14 05:05:21 UTC
From:
To:
Hi Cyril,

Thanks for your attention. I think that was my patch. (Chris Tillman).

The only line the patch is affecting is the one with find $dir, adding the
quotes to make it find "$dir".

The rest of it certainly does look strange, but anyway it works if you just
add the quotes. Maybe another time to refactor it, because we have been
waiting years for this patch already.

I verified today it is still present in the current testing installer.

Chris

#759174#54
Date:
2014-08-19 18:01:32 UTC
From:
To:
Hi KiBi,

[snip]

There are in effect two bugs here. The first, which the patch fixes,
is that any folder with spaces in its name will cause iso-scan's
postinst to fail, preventing the installation. The second, which the
patch doesn't fix, is that any ISO found in a folder with spaces in
its name won't be handled correctly.

The first bug is extremely confusing, since an otherwise OK USB key
with all the appropriate files in the right place will fail to
install, with no explicit error message, and worse than that with a
message on the fourth terminal indicating that the ISO was found and
is usable...

The second bug, which is mitigated in part by the existence test (line
170), will only prevent certain ISOs from being used, and won't abort
the installation.

Wouldn't it be acceptable to apply the patch, and add an erratum
indicating that ISOs shouldn't be placed in folders containing spaces
in their names?

Regards,

Stephen

#759174#59
Date:
2014-08-19 18:22:55 UTC
From:
To:
Hi Stephen ,

Stephen Kitt <skitt@debian.org> (2014-08-19):

Thanks for your analysis. If the consequences are those you mention I
agree that fixing the first bug right away (backporting as needed) is
desirable.

I'll probably clone this bug report for the second one, and deal with
the first one in a moment.

Mraw,
KiBi.

#759174#64
Date:
2014-08-25 01:13:10 UTC
From:
To:
Stephen Kitt <skitt@debian.org> (2014-08-19):

Hopefully the above commands will do the job to keep track of this
(lower severity) problem.

Mraw,
KiBi.

#759174#73
Date:
2014-11-09 15:00:49 UTC
From:
To:
Hi!

I would like to suggest the following patch to get rid of space-related
problems. The only two characters which are still "bad" in iso file
paths are newline (because output from find is split by newlines) and
"," (because $ISOS_FOUND is split by it by debconf and analyze_cd()
replaces commas with spaces).

I manually rebuilt the current hd-media/initrd.gz to include my version
of iso-scan.postinst and it did successfully find the file I named "/1 2
3/4 5 6/7 8 9.iso" (screenshot attached).

I set IFS to \n\0 because $() cuts the trailing newlines and I didn't
figure out a way to put \0 in a variable in dash. The result is that IFS
gets the value of \n.

Best regards,
Ivan