[buildd-tools-devel] Bug#836175: Bug#836175: libsbuild-perl: Do not use single quotes in embedded perl script
Johannes Schauer
josch at debian.org
Wed Aug 31 17:11:38 UTC 2016
Hi,
Quoting Samuel Thibault (2016-08-31 18:33:12)
> The host is jessie with perl and sbuild upgraded to stretch. The chroot is
> sid. But I don't see how this could be related. AIUI it's a question of
> getting ResolverBase's run_apt_ftparchive called (i.e. AIUI make sure to use
> the apt build-dep resolver), and get ChrootPlain's or ChrootSudo's
> get_command_internal called by run_apt_ftparchive (I notably use
> $chroot_mode='sudo';), so it doesn't seem to depend on the versions of other
> software.
>
> Do you get to see the "Stripped single quote from command for security:"
> message at least?
nope:
$ grep 'Debian sbuild' ../pkg-source_1.0_amd64.build
sbuild (Debian sbuild) 0.71.0 (24 Aug 2016) on hoothoot
$ grep 'Stripped' ../pkg-source_1.0_amd64.build
$ echo $?
1
I also wonder what this single quote stripping is supposed to achieve in the
first place. How does it enhance security? I think it was first introduced by
Roger Leigh in commit ec49ae9cc6669b9a60d04b0a9186181b93748153 for
lib/Sbuild/Chroot.pm.
Additionally, current sbuild only seem to have this message in
lib/Sbuild/ChrootPlain.pm and lib/Sbuild/ChrootSudo.pm. Are you not using
schroot for your chroots?
Thanks!
cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20160831/22778a4f/attachment.sig>
More information about the Buildd-tools-devel
mailing list