1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.DPKG

  • Bug#1067876: dpkg allows installation of malformed .deb packages result

    From Guillem Jover@1:229/2 to Tobias on Fri Mar 29 00:10:04 2024
    XPost: linux.debian.bugs.dist
    From: [email protected]

    Hi!

    On Thu, 2024-03-28 at 09:54:36 +0000, Grueninger, Tobias wrote:
    Package: dpkg
    Version: 1.20.12
    Severity: wishlist

    In our case we did install a package from a 3rd party which apparently
    uses a non-conforming .deb package building tool (unknown to us)
    resulting in a malformed data.tar.gz

    dpkg did allow this package to be completely installed but generated a malformed .list file.

    Ah, not good, indeed.

    This as consequence did prevent later installation of any other package
    as dpkg's .list file database was broken resulting in the following
    error message

    Selecting previously unselected package <package>.
    (Reading database ...
    dpkg: unrecoverable fatal error, aborting:
    files list file for package 'xxx-config--xxx' contains empty filename

    Analysis of the .deb package showed

    dpkg -c xxx-config-xxx.deb
    1 drwxrwxr-x root/root 0 2023-09-07 08:36 ./
    2 drwxrwxr-x root/root 0 2023-09-07 08:36 .//
    3 drwxrwxr-x root/root 0 2023-09-07 08:36 .//ddd/
    4 drwxrwxr-x root/root 0 2023-09-07 08:36 .//ddd/fff/
    ...

    * The offending malform is the second line containing './/' which is not
    conform to standard, resulting in the following .list file

    cat -v -t -e ./lib/dpkg/info/xxx-config-xxx.list
    1 /.$
    2 /$
    3 /ddd$
    4 /ddd/fff$
    ...

    * the '/$' does break the .list file parsing when later installing other
    .deb packages

    Clearly the root cause is the use of 3rd party malformed .deb package
    tooling nevertheless my wish to improve would be following:

    1. As dpkg does parse all existing .list files during installation of
    a .deb package and understand if one of them is malformed it shall
    do this also for the newly generated .deb package .list file.
    2. If the newly generated .deb package .list file does fail the check
    installation shall be aborted and rolled back.

    Thank you for the detailed and very helpful report!

    I've prepare a couple of changes to catch these conditions, will check
    whether there are more things that should be verified, and add some
    test cases for these. Will queue these file git main and probably mark
    them as stable candidates.

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)