Package: clonezilla
Version: 5.8.7-1
Severity: important
Tags: patch
I'm sorry to tell you that the /usr-move fallout is not over. The use of
the --rename flag was wrong in many M18 mitigations. Refer to
https://lists.debian.org/debian-devel/2025/01/msg00125.html for details.
Whilst I was not able to reproduce issues for clonezilla, I recognized
the bad pattern and other defects.
https://sources.debian.org/src/clonezilla/5.8.7-1/setup/files/ocs/live-hook/ocs-live-hook-functions/#L306
removes the canonicalized diversion again whereas the file being
referenced two lines earlier hints at an aliased diversion.
It should also be noted that the existence of
/usr/sbin/start-stop-daemon.distrib may indicate the existence of an
aliased diversion (in bookworm) or a canonicalized diversion (in
trixie), so the code likely does not work for bookworm. I suppose this
is ok-ish.
When restoring the diversions, we may restore
/usr/sbin/start-stop-daemon before adding the /sbin/start-stop-daemon
diversion using --rename. This is exactly the pattern that lead to the
investigation and will move the replacement file. A better pattern is to
first do both diversions and then set up the replacement file.
I am attaching an updated debian/patches/fix_usr_merge.patch, but I have
not figured out how to test it. Keep the fingers crossed. Given that
nobody else noticed, this code may as well be dead code.
Helmut
--- clonezilla-5.8.7.orig/setup/files/ocs/live-hook/ocs-live-hook-functions
+++ clonezilla-5.8.7/setup/files/ocs/live-hook/ocs-live-hook-functions
@@ -275,12 +275,12 @@
# By doing apt-get --purge remove cdebootstrap-helper-diverts, it will
# Removing `diversion of /sbin/start-stop-daemon to /sbin/start-stop-daemon.REAL by cdebootstrap-helper-diverts'
# Removing `diversion of /usr/sbin/invoke-rc.d to /usr/sbin/invoke-rc.d.REAL by cdebootstrap-helper-diverts'
- if [ -e /sbin/start-stop-daemon.REAL ]; then
+ if [ -e /usr/sbin/start-stop-daemon.REAL ]; then
apt-get -y --purge remove cdebootstrap-helper-diverts
fi
# For live-build v2.x, the file name is /sbin/start-stop-daemon.orig, and no more cdebootstrap-helper-diverts in lb_chroot_dpkg. We just restore it. Otherwise the file start-stop-daemon copied to /tftpboot/node_root/sbin/ will be the temp fake one.
- if [ -e /sbin/start-stop-daemon.orig ]; then
- mv -v /sbin/start-stop-daemon.orig /sbin/start-stop-daemon
+ if [ -e /usr/sbin/start-stop-daemon.orig ]; then
+ mv -v /usr/sbin/start-stop-daemon.orig /sbin/start-stop-daemon
fi
# For live-build v3.x, the file name is renamed as start-stop-daemon.distrib by
# dpkg-divert in /usr/lib/live/build/chroot_dpkg:
@@ -312,6 +312,15 @@
set_start_stop_daemon_diverts(){
# For live-build v3.x, after drblpush, we have to revert the status to fake, temp one, so the rest of chroot_dpkg command won't remove the real /sbin/start-stop-daemon.
# Ref: /usr/lib/live/build/chroot_dpkg
+ # begin-remove-after: released:trixie
+ if [ "$lb_3_start_stop_daemon_revert_aliased_flag" = "true" ]; then
+ if dpkg -D /sbin/start-stop-daemon >/dev/null 2>&1; then
+ dpkg-divert --rename --add --divert /sbin/start-stop-daemon.distrib.usr-is-merged /sbin/start-stop-daemon
+ else
+ dpkg-divert --no-rename --add --divert /sbin/start-stop-daemon.distrib.usr-is-merged /sbin/start-stop-daemon
+ fi
+ fi
+ # end-remove-after
if [ "$lb_3_start_stop_daemon_revert_flag" = "true" ]; then
dpkg-divert --rename --add /usr/sbin/start-stop-daemon
cat > /usr/sbin/start-stop-daemon << EOF
@@ -322,8 +331,7 @@
chmod 755 /usr/sbin/start-stop-daemon
fi
# begin-remove-after: released:trixie
- if [ "$lb_3_start_stop_daemon_revert_aliased_flag" = "true" ]; then
- dpkg-divert --rename --add --divert /sbin/start-stop-daemon.distrib.usr-is-merged /sbin/start-stop-daemon
+ if [ "$lb_3_start_stop_daemon_revert_aliased_flag" = "true" ] && [ "$lb_3_start_stop_daemon_revert_flag" != "true" ]; then
cat > /sbin/start-stop-daemon << EOF
#!/bin/sh
@@ -405,6 +413,7 @@
UDEV_END
update_initramfs_flag="yes"
fi
+ # end-remove-after
}
#
append_framebuffer_modules_if_necessary() {
