Bug#787630: libstdc++6: unsafe rm -rf on __pycache__ dir can wipe all filesystems
Package: libstdc++6
Version: 5.1.1-9
Severity: grave
Justification: causes non-serious data loss
The postinst script of libstdc++6 attempts to remove all __pycache__ dirs
from /usr/share/gcc-4.9/python, but doesn't do this in a secure way.
If you accidentally had created files in /usr/share/gcc-4.9/python with a
space in the name, there is a possiblity that the package upgrade will
trigger a 'rm -rf /'.
The package upgrade also warns about non-existing /usr/share/gcc-4.9/python,
when the dir does not exist.
I would advise to use this instead:
if [ -n "$2" -a -d /usr/share/gcc-4.9/python ] && dpkg --compare-versions
"$2" lt 5.1.1-9; then
find /usr/share/gcc-4.9/python -name __pycache__ -print0 | xargs -0 -r
rm -rf
fi
-- System Information:
Debian Release: stretch/sid
APT prefers squeeze-lts
APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500,
'unstable'), (500, 'stable'), (500, 'oldstable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Reply to: