Bug#1052281: apt: Configuration::checkUsrMerged does not check st_dev

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1052281: apt: Configuration::checkUsrMerged does not check st_dev
From: Jean Privat <jean.privat@gmail.com>
Date: Tue, 19 Sep 2023 15:00:56 -0400
Message-id: <[🔎] 169515005600.1810040.7989078620421085803.reportbug@ebg3>
Reply-to: Jean Privat <jean.privat@gmail.com>, 1052281@bugs.debian.org

Package: apt
Version: 2.6.1
Severity: normal
X-Debbugs-Cc: jean.privat@gmail.com

Dear Maintainer,

https://salsa.debian.org/apt-team/apt/-/blob/main/apt-
pkg/aptconfiguration.cc#L559 shows that `st_ino` is used to check that `/foo`
and `/usr/foo` entries resolve to the same inode.
However it does not check that the inode are on the same file system.

While usually unlikely, it's possible that both entries give a same inode
number but on two different devices, then possibly break the whole Debian
installation.

A simple fix could be to also check the `st_dev` field.

- if (root.st_ino != usr.st_ino)
+ if (root.st_ino != usr.st_ino || root.st_dev != usr.st_dev)


-- Package-specific info:

-- (/etc/apt/preferences present, but not submitted) --


-- (no /etc/apt/preferences.d/* present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- (/etc/apt/sources.list.d/docker.list present, but not submitted) --


-- (/etc/apt/sources.list.d/google-chrome.list present, but not submitted) --


-- (/etc/apt/sources.list.d/lutris.list present, but not submitted) --


-- (/etc/apt/sources.list.d/nordvpn.list present, but not submitted) --


-- (/etc/apt/sources.list.d/steam-beta.list present, but not submitted) --


-- (/etc/apt/sources.list.d/steam-stable.list present, but not submitted) --


-- (/etc/apt/sources.list.d/teams.list present, but not submitted) --


-- (/etc/apt/sources.list.d/winehq-bullseye.sources present, but not submitted) --


-- System Information:
Debian Release: 12.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable'), (110, 'testing'), (10, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, riscv64

Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apt depends on:
ii  adduser                 3.134
ii  debian-archive-keyring  2023.3
ii  gpgv                    2.2.40-1.1
ii  libapt-pkg6.0           2.6.1
ii  libc6                   2.36-9+deb12u1
ii  libgcc-s1               12.2.0-14
ii  libgnutls30             3.7.9-2
ii  libseccomp2             2.5.4-1+b3
ii  libstdc++6              12.2.0-14
ii  libsystemd0             252.12-1~deb12u1

Versions of packages apt recommends:
ii  ca-certificates  20230311

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.13-5
ii  dpkg-dev        1.21.22
ii  gnupg           2.2.40-1.1
ii  gnupg2          2.2.40-1.1
ii  powermgmt-base  1.37
ii  synaptic        0.91.3

-- no debconf information

Reply to:

Follow-Ups:
- Bug#1052281: marked as done (apt: Configuration::checkUsrMerged does not check st_dev)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1052058: apt: refuses to downgrade itself to a version that works on the system
Next by Date: Bug#1052281: marked as done (apt: Configuration::checkUsrMerged does not check st_dev)
Previous by thread: espero verte
Next by thread: Bug#1052281: marked as done (apt: Configuration::checkUsrMerged does not check st_dev)
Index(es):
- Date
- Thread