Re: Debian Jessie - Incorrect permissions on /bin directory

To: Yves-Alexis Perez <corsac@debian.org>, debian-release@lists.debian.org
Cc: HacKurx <hackurx@gmail.com>, debian-boot@lists.debian.org, security@debian.org
Subject: Re: Debian Jessie - Incorrect permissions on /bin directory
From: Cyril Brulebois <kibi@debian.org>
Date: Wed, 3 Feb 2016 14:37:01 +0100
Message-id: <[🔎] 20160203133701.GD2766@mraw.org>
In-reply-to: <1454506199.7684.6.camel@debian.org>
References: <CAFwXZv8TQNa+tctK0=WB96WAAHigtGzALQoq16J6LTjtGFsefQ@mail.gmail.com> <1454428107.6600.8.camel@debian.org> <1454429360.6600.10.camel@debian.org> <20160202161658.GD19682@mraw.org> <1454506199.7684.6.camel@debian.org>

[Context: packages shipping /bin with “funny” permissions, seen in stable.]

Yves-Alexis Perez <corsac@debian.org> (2016-02-03):
> On mar., 2016-02-02 at 17:16 +0100, Cyril Brulebois wrote:
> > I didn't check the whole archive, but doing so might be interesting.
> 
> I did a quick check on a local mirror (which might be incomplete), and found
> three packages with errors:
> 
> dpkg -c debian/pool/main/s/sed/sed_4.2.2-4+b1_amd64.deb |grep bin/$
> drwxrwxr-x root/root         0 2014-11-08 19:28 ./bin/
> dpkg -c debian/pool/main/l/lpe/lpe_1.2.7-2_amd64.deb|grep bin/$ 
> drwxrwxr-x root/root         0 2014-12-24 23:14 ./usr/bin/
> dpkg -c debian/pool/main/u/ucspi-proxy/ucspi-proxy_0.99-1_amd64.deb|grep bin/$
> drwxrwxr-x root/root         0 2014-08-10 18:08 ./usr/bin/
> 
> Note that lintian complains a lot about them:
> 
> lintian sed_4.2.2-4+b1_amd64.deb
> W: sed: syntax-error-in-debian-changelog line 1 "unknown key-value key Binary-only - copying to XS-Binary-only"
> W: sed: latest-debian-changelog-entry-without-new-date
> E: sed: control-file-has-bad-permissions md5sums 0664 != 0644
> W: sed: description-synopsis-starts-with-article
> W: sed: non-standard-dir-perm bin/ 0775 != 0755
> W: sed: package-contains-timestamped-gzip usr/share/doc/sed/changelog.Debian.gz
> W: sed: non-standard-dir-perm usr/share/info/ 0775 != 0755
> W: sed: package-contains-timestamped-gzip usr/share/info/sed.info.gz
> W: sed: non-standard-dir-perm usr/share/locale/ 0775 != 0755
> W: sed: non-standard-dir-perm ... use --no-tag-display-limit to see all (or pipe to a file/program)
> W: sed: package-contains-timestamped-gzip usr/share/man/man1/sed.1.gz
> 
> It looks like an umask problem at package build time. Right now it doesn't
> seem to have obvious security issues (like world writable /bin) but I'm not
> too sure there are not other stuff hidden.
> 
> I guess it'd make sense to do an archive-wide lintian run to look for that
> kind of mistakes, and then ask for stable binNMUs of the relevant packages.

It seems to me that lintian looks at testing/unstable (at least looking
at https://lintian.debian.org/full/clint@debian.org.html#sed_4.2.2-6),
so I'm not sure this would help for stable.
> 
> What do you think?

I think debian-release@ needs to be in the loop, doing so.

Mraw,
KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: NEW changes in oldstable-new
Next by Date: Re: Bug#791195: fixed in lttoolbox 3.3.2~r61000-3.1
Previous by thread: NEW changes in oldstable-new
Next by thread: Bug#813047: marked as done (transition: proftpd-dfsg)
Index(es):
- Date
- Thread