Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./

To: Gergely Madarasz <gorgo@caesar.elte.hu>, 32828@bugs.debian.org
Subject: Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./
From: Jules Bean <jmlb2@hermes.cam.ac.uk>
Date: Thu, 4 Feb 1999 12:26:47 +0000 (GMT)
Message-id: <[🔎] Pine.SOL.3.95q.990204122510.5672D-100000@red.csi.cam.ac.uk>
Reply-to: Jules Bean <jmlb2@hermes.cam.ac.uk>, 32828@bugs.debian.org
In-reply-to: <[🔎] Pine.A32.3.96.990203191220.27789L-100000@caesar.power.elte.hu>

On Wed, 3 Feb 1999, Gergely Madarasz wrote:

> On Wed, 3 Feb 1999, Ian Jackson wrote:
> 
> > Madarasz Gergely writes ("Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./"):
> > > Package: dpkg-dev
> > > Version: 1.4.0.31
> > > 
> > > I've just wanted to check a packages contents and control information, 
> > > and it made my /tmp almost unusable. 
> > > I did tar xzvf control.tar.gz in /tmp, and since control.tar.gz contains
> > > drwxr-xr-x root/root         0 1999-02-01 19:21 ./
> > > it rewrote the perms of /tmp to 755 -> I got a non-working /tmp. It may
> > > happen in other directories, even when not run as root...
> > 
> > Don't Do That Then.
> 
> How should everybody know that this is dangerous? I had friends who
> told me that their /tmp mysteriously lost its permissions, and who
> never understood why. Now I understand. One would never expect that the
> permissions of current directory can be changed because of a simple tar
> command.

Actually, it was probably a buggy package.  We did have a couple of buggy
packages which reset /tmp.

> 
> > > I guess the reason for this is that debian/tmp/DEBIAN was tarred as the
> > > current directory. The above case shows that it should be avoided, so it
> > > would be nicer if tar was called with tar <options>  * instead of tar
> > > <options> .
> > 
> > There might be dotfiles in DEBIAN.
> 
> Then tar .* with excluding .. and . could do it.

Ian - is there any technical reason not to do this?

Could I persuade you to 'severity wishlist' the bug?

Jules

/----------------+-------------------------------+---------------------\
|  Jelibean aka  | jules@jellybean.co.uk         |  6 Evelyn Rd	       |
|  Jules aka     | jules@debian.org              |  Richmond, Surrey   |
|  Julian Bean   | jmlb2@hermes.cam.ac.uk        |  TW9 2TF *UK*       |
+----------------+-------------------------------+---------------------+
|  War doesn't demonstrate who's right... just who's left.             |
|  When privacy is outlawed... only the outlaws have privacy.          |
\----------------------------------------------------------------------/

Reply to:

References:
- Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./
  - From: Gergely Madarasz <gorgo@caesar.elte.hu>

Prev by Date: Processed: Re: Processed: merging dpkg bugs
Next by Date: Bug#32877: Cleverer conffile merge
Previous by thread: Bug#32828: dpkg-dev: control.tar.gz and data.tar.gz containing ./
Next by thread: Processed: Re: Processed: merging dpkg bugs
Index(es):
- Date
- Thread