Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./
On Wed, 3 Feb 1999, Gergely Madarasz wrote:
> On Wed, 3 Feb 1999, Ian Jackson wrote:
>
> > Madarasz Gergely writes ("Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./"):
> > > Package: dpkg-dev
> > > Version: 1.4.0.31
> > >
> > > I've just wanted to check a packages contents and control information,
> > > and it made my /tmp almost unusable.
> > > I did tar xzvf control.tar.gz in /tmp, and since control.tar.gz contains
> > > drwxr-xr-x root/root 0 1999-02-01 19:21 ./
> > > it rewrote the perms of /tmp to 755 -> I got a non-working /tmp. It may
> > > happen in other directories, even when not run as root...
> >
> > Don't Do That Then.
>
> How should everybody know that this is dangerous? I had friends who
> told me that their /tmp mysteriously lost its permissions, and who
> never understood why. Now I understand. One would never expect that the
> permissions of current directory can be changed because of a simple tar
> command.
Actually, it was probably a buggy package. We did have a couple of buggy
packages which reset /tmp.
>
> > > I guess the reason for this is that debian/tmp/DEBIAN was tarred as the
> > > current directory. The above case shows that it should be avoided, so it
> > > would be nicer if tar was called with tar <options> * instead of tar
> > > <options> .
> >
> > There might be dotfiles in DEBIAN.
>
> Then tar .* with excluding .. and . could do it.
Ian - is there any technical reason not to do this?
Could I persuade you to 'severity wishlist' the bug?
Jules
/----------------+-------------------------------+---------------------\
| Jelibean aka | jules@jellybean.co.uk | 6 Evelyn Rd |
| Jules aka | jules@debian.org | Richmond, Surrey |
| Julian Bean | jmlb2@hermes.cam.ac.uk | TW9 2TF *UK* |
+----------------+-------------------------------+---------------------+
| War doesn't demonstrate who's right... just who's left. |
| When privacy is outlawed... only the outlaws have privacy. |
\----------------------------------------------------------------------/
Reply to: