Böck: Multiple vulnerabilities in RPM – and a rant

Posted Aug 30, 2016 22:33 UTC (Tue) by guillemj (subscriber, #49706)
In reply to: Böck: Multiple vulnerabilities in RPM – and a rant by Darkmere
Parent article: Böck: Multiple vulnerabilities in RPM – and a rant

> Other massive failures like maintainer scripts failing if the user inside a root doesn't exist _outside_ it ( dpkg really doesn't do roots very well).

That should (in principle!) not happen when using either --root or --instdir, but if you have a reproducer I'm very interested in a bug report, or a short recipe, so that I can get it fixed. Thanks.

Böck: Multiple vulnerabilities in RPM – and a rant

Posted Aug 31, 2016 21:58 UTC (Wed) by Darkmere (subscriber, #53695) [Link] (1 responses)

Sure, basic set was this:

On a system (well, container) created with `debootstrap --include=debootstrap stable <something>`, run:
`debootstrap stable newroot`

This means that the building container doesn't have `dbus` installed and the chroot inside does. Wich causes debootstrap to fail.

Böck: Multiple vulnerabilities in RPM – and a rant

Posted Aug 31, 2016 22:44 UTC (Wed) by guillemj (subscriber, #49706) [Link]

Ah, so this is running deboostrap. I just rechecked to be sure, and debootstrap never calls dpkg with --root nor --instdir, it instead invokes the dpkg from the chroot via a chrooting method. So this is exclusively a problem with debootstrap, and not dpkg itself. It might be related to https://bugs.debian.org/823982, or perhaps even https://bugs.debian.org/829134 (given that you talk about containers). In any case, if neither of those are related, you might want to file a bug report on debootstrap, that'd be appreciated.