Bug#514016: mkdir && tar && cp/mv

[Askar Safin <safinaskar@mail.ru>]

Also, I have this idea: let's create empty dir and untar into it. Then copy or move content of this dir into target using "cp" or "mv" with specially picked set of options.

And I still think that debootstrap and cdebootstrap should check whether target is empty as a safety measure in any case.

Also, I thought bug I reported still applies to modern hosts. If you have modern host (say, stretch) and perform double debootstrap (one squeeze and one wheezy) into same dir, this (as I thought) will write to host's /lib/ld-linux-x86-64.so.2 . Fortunately, this will not cause any bad consequences.

But now I performed tests. I used stretch host, stretch's debootstrap 1.0.89 and stretch's cdebootstrap 0.7.7+b1. And I see no bug. When that libc6 extracts during second (c)debootstrap, symlink /tmp/target/lib64 is replaced with regular dir /tmp/target/lib64 and then (c)debootstrap writes to this dir. So, there is no (even harmless) leak to host. Maybe tar changed?

So, it seems that the bug #514015/#514016 is fixed. But I am not sure, it is possible that my observation is due to special structure of Debian packages. What if some malformed untrusted Debian packages may still cause leaked files?

==
Askar Safin
http://vk.com/safinaskar