Re: debhelper & /usr/bin/passwd

To: Ossama Othman <othman@cs.wustl.edu>
Cc: debian-devel@lists.debian.org
Subject: Re: debhelper & /usr/bin/passwd
From: Mitch Blevins <mblevin@debian.org>
Date: Mon, 25 Jan 1999 23:38:26 -0500
Message-id: <[🔎] 19990125233826.A6863@turd.mountaintop>
Reply-to: Mitch Blevins <mblevin@debian.org>
In-reply-to: <[🔎] Pine.SOL.3.96.990125215316.29735A-100000@macarena>; from Ossama Othman on Mon, Jan 25, 1999 at 10:00:50PM -0600
References: <[🔎] E104zNt-0001lX-00@turd.mountaintop> <[🔎] Pine.SOL.3.96.990125215316.29735A-100000@macarena>

Ossama Othman wrote:
> Hi Mitch,
> 
> > Could you please post the version(s) you have and which mirror you
> > got it from?
> 
> Sure!  chsh and chfn were also in debhelper!  I got debhelper using
> dselect/apt.  Here is all the info you requested:
> 
> % cat /etc/apt/sources.list
> deb http://http.us.debian.org/debian unstable main contrib non-free
> deb http://non-us.debian.org/debian-non-US unstable non-US
> 
> % dpkg -l debhelper
> ii  debhelper       1.2.28         helper programs for debian/rules
> 
> % dpkg --listfiles debhelper | grep /usr/bin/
> /usr/bin/dh_builddeb
> /usr/bin/dh_clean
> /usr/bin/dh_compress
> /usr/bin/dh_du
> /usr/bin/dh_fixperms
> /usr/bin/dh_gencontrol
> /usr/bin/dh_installchangelogs
> /usr/bin/dh_installcron
> /usr/bin/dh_installdeb
> /usr/bin/dh_installdebfiles
> /usr/bin/dh_installdirs
> /usr/bin/dh_installdocs
> /usr/bin/dh_installexamples
> /usr/bin/dh_installinit
> /usr/bin/dh_installmanpages
> /usr/bin/dh_installmenu
> /usr/bin/dh_makeshlibs
> /usr/bin/dh_md5sums
> /usr/bin/dh_movefiles
> /usr/bin/dh_shlibdeps
> /usr/bin/dh_strip
> /usr/bin/dh_suidregister
> /usr/bin/dh_testdir
> /usr/bin/dh_testroot
> /usr/bin/dh_testversion
> /usr/bin/dh_undocumented
> /usr/bin/dh_debstd
> /usr/bin/dh_installemacsen
> /usr/bin/dh_installwm
> /usr/bin/dh_link
> /usr/bin/dh_listpackages
> /usr/bin/passwd
> /usr/bin/chsh
> /usr/bin/chfn
> 
> Okay, I think we can be pretty sure the last three entries don't belong
> there.  What do you think is the problem?

Well, I got the deb and source and dsc from the mirror you pointed out,
and it _does_ have these files as symlinks in them pointing to
sysdb-wrapper.

It doesn't look like a trojan (this weeks hot topic) because his pgp sig
matches the md5sum of the tarfile, and the tarfile reproduces the symlinks
in the resulting deb.

So, I would just treat it as a bug.  Please file a critical bug report
against this package, or let me know if you don't and I will file it.

I would downgrade your debhelper to 1.2.27 and reinstall the passwd
package.  Thanks for finding this bug.

-Mitch

Attachment: pgpgotnppsyrC.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: debhelper & /usr/bin/passwd
  - From: Ossama Othman <othman@cs.wustl.edu>
- Re: debhelper & /usr/bin/passwd
  - From: Mitch Blevins <mblevin@mindspring.com>

References:
- Re: debhelper & /usr/bin/passwd
  - From: Mitch Blevins <mblevin@mindspring.com>
- Re: debhelper & /usr/bin/passwd
  - From: Ossama Othman <othman@cs.wustl.edu>

Prev by Date: Re: debhelper & /usr/bin/passwd
Next by Date: WARNING: Re: debhelper & /usr/bin/passwd
Previous by thread: Re: debhelper & /usr/bin/passwd
Next by thread: Re: debhelper & /usr/bin/passwd
Index(es):
- Date
- Thread