Ubuntu
checkinstall package

  1. Bug #1861281
  2. Comment #1

Comment 1 for bug 1861281

Revision history for this message
Gianni Tedesco (scara) wrote : Re: checkinstall may add local root exploits to packages with symlinks in them

A related bug, which I don't want to post separately because it's too close to this.

Is that when the tar creation has the symlink and the target in the opposite order, then checkinstall fails totally (note that the command being run works when NOT being run under checkinstall):

checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
           This software is released under the GNU GPL.

*****************************************
**** Debian package creation selected ***
*****************************************

This package will be built according to these values:

0 - Maintainer: [ root@turf ]
1 - Summary: [ Package created with checkinstall 1.6.2 ]
2 - Name: [ vulnerable ]
3 - Version: [ 13.37 ]
4 - Release: [ 2 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ amd64 ]
8 - Source location: [ checkpwn ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ vulnerable ]
12 - Conflicts: [ ]
13 - Replaces: [ ]

Enter a number to change any of them or press ENTER to continue:

Installing with bash -c gzip -cd rev.tar.gz| (cd /; tar xv)...

========================= Installation results ===========================
usr/bin/vulnerable
tar: usr/bin/vulnerable: Cannot change mode to rwxrwxrwx: No such file or directory
usr/bin/writable
tar: Exiting with failure status due to previous errors

**** Installation failed. Aborting package creation.

Cleaning up...OK

Bye.