--- Begin Message ---
Package: apt
Version: 2.6.1
Severity: normal
X-Debbugs-Cc: jean.privat@gmail.com
Dear Maintainer,
https://salsa.debian.org/apt-team/apt/-/blob/main/apt-
pkg/aptconfiguration.cc#L559 shows that `st_ino` is used to check that `/foo`
and `/usr/foo` entries resolve to the same inode.
However it does not check that the inode are on the same file system.
While usually unlikely, it's possible that both entries give a same inode
number but on two different devices, then possibly break the whole Debian
installation.
A simple fix could be to also check the `st_dev` field.
- if (root.st_ino != usr.st_ino)
+ if (root.st_ino != usr.st_ino || root.st_dev != usr.st_dev)
-- Package-specific info:
-- (/etc/apt/preferences present, but not submitted) --
-- (no /etc/apt/preferences.d/* present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- (/etc/apt/sources.list.d/docker.list present, but not submitted) --
-- (/etc/apt/sources.list.d/google-chrome.list present, but not submitted) --
-- (/etc/apt/sources.list.d/lutris.list present, but not submitted) --
-- (/etc/apt/sources.list.d/nordvpn.list present, but not submitted) --
-- (/etc/apt/sources.list.d/steam-beta.list present, but not submitted) --
-- (/etc/apt/sources.list.d/steam-stable.list present, but not submitted) --
-- (/etc/apt/sources.list.d/teams.list present, but not submitted) --
-- (/etc/apt/sources.list.d/winehq-bullseye.sources present, but not submitted) --
-- System Information:
Debian Release: 12.1
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable'), (110, 'testing'), (10, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, riscv64
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apt depends on:
ii adduser 3.134
ii debian-archive-keyring 2023.3
ii gpgv 2.2.40-1.1
ii libapt-pkg6.0 2.6.1
ii libc6 2.36-9+deb12u1
ii libgcc-s1 12.2.0-14
ii libgnutls30 3.7.9-2
ii libseccomp2 2.5.4-1+b3
ii libstdc++6 12.2.0-14
ii libsystemd0 252.12-1~deb12u1
Versions of packages apt recommends:
ii ca-certificates 20230311
Versions of packages apt suggests:
pn apt-doc <none>
ii aptitude 0.8.13-5
ii dpkg-dev 1.21.22
ii gnupg 2.2.40-1.1
ii gnupg2 2.2.40-1.1
ii powermgmt-base 1.37
ii synaptic 0.91.3
-- no debconf information
--- End Message ---
--- Begin Message ---
On Tue, Sep 19, 2023 at 03:00:56PM -0400, Jean Privat wrote:
> Package: apt
> Version: 2.6.1
> Severity: normal
> X-Debbugs-Cc: jean.privat@gmail.com
>
> Dear Maintainer,
>
> https://salsa.debian.org/apt-team/apt/-/blob/main/apt-
> pkg/aptconfiguration.cc#L559 shows that `st_ino` is used to check that `/foo`
> and `/usr/foo` entries resolve to the same inode.
> However it does not check that the inode are on the same file system.
>
> While usually unlikely, it's possible that both entries give a same inode
> number but on two different devices, then possibly break the whole Debian
> installation.
>
> A simple fix could be to also check the `st_dev` field.
>
> - if (root.st_ino != usr.st_ino)
> + if (root.st_ino != usr.st_ino || root.st_dev != usr.st_dev)
There have been concerns that such a change could break APT when
overlayfs and similar technologies are involved.
As this is only a heuristic to block unmerged /usr and not intended
to be foolproof, we have decided to remove the device number check
to reduce the chance of issues.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---