Package: debhelper Version: 13.10 Severity: important util-linux dbgsym packages install /usr/lib/debug/.dwz/i386-linux-gnu/ (and other multiarch triplets) writable by an essential random uid (= uid of the user running the build on the build system).
This was noticed by the reproducibe-builds diff check, and can be seen here: https://tests.reproducible-builds.org/debian/dbd/unstable/i386/util-linux_2.38.1-1.1.diffoscope.html Example: bsdextrautils-dbgsym_2.38.1-1.1_i386.deb data.tar.xz file list: - drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2022-10-08·13:17:31.000000·./usr/lib/debug/.dwz/i386-linux-gnu/ + drwxr-xr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2022-10-08·13:17:31.000000·./usr/lib/debug/.dwz/i386-linux-gnu/ Indeed, installing bsdextrautils-dbgsym_2.38.1-1.1+b1_i386.deb from the debian-debug archive results in: stat /usr/lib/debug/.dwz/i386-linux-gnu File: /usr/lib/debug/.dwz/i386-linux-gnu Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 8,17 Inode: 658054 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 2952/ UNKNOWN) Gid: ( 1009/ UNKNOWN) Access: 2022-11-16 16:04:12.991118753 +0000 Modify: 2022-11-16 16:04:06.495082135 +0000 Change: 2022-11-16 16:04:06.495082135 +0000 Birth: 2022-11-16 16:04:06.491082113 +0000 Note Uid 2952, Gid 1009. As util-linux does not have its own code to install anything into /usr/lib/debug, I'm assuming this is a problem in dh_dwz, but I might be wrong. In this case, please reassign and accept my apologies. smcv pointed out that util-linux has Rules-Requires-Root: binary-targets, which may be a requisite of this bug appearing. Thanks, Chris
