Bug#842276: nginx-common.config dpkg --compare-versions will mishandle return codes should the check fail

Thu, 27 Oct 2016 08:21:22 -0700 

Source: nginx
Severity: serious
Version: 1.6.2-5+deb8u3

This was originally identified as a result of my own failure downstream
in Ubuntu when applying the patches from Debian for CVE-2016-1247.

One of the things added was nginx-common.config.  In this, the following
set of code exists:

log_symlinks_check() {
    # Skip new installations
    [ -z "$1" ] && return

    # Skip unaffected installations
    dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return

    # Check for unsecure symlinks
    linked_logfiles="` find "$logdir" -type l -user www-data -name
'*.log' `"

    # Skip if nothing is found
    [ -z "$linked_logfiles" ] && return

    db_subst nginx/log-symlinks logfiles $linked_logfiles
    db_input high nginx/log-symlinks || true
    db_go || true
}


This line will break all future version upgrades:

dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return



What happens here is, say that the package is updated, and we have
+deb8u4 then.  Let's examine the error code we get from this:

teward@debian:~$ dpkg --compare-versions 1.6.2-5+deb8u4 lt-nl
1.6.2-5+deb8u3; echo $?
1


This error code is caught by `dpkg` and will ultimately die off with a
failure code, like this (NOTE: +deb8u4 was a 'fake' package created by
me from the nginx source code that has no changes between +deb8u3, it
was just used to test the version bump issue):

teward@debian:~$ sudo dpkg -i ./nginx-common_1.6.2-5+deb8u4_all.deb
(Reading database ... 29849 files and directories currently installed.)
Preparing to unpack .../nginx-common_1.6.2-5+deb8u4_all.deb ...
Unpacking nginx-common (1.6.2-5+deb8u4) over (1.6.2-5+deb8u3) ...
Setting up nginx-common (1.6.2-5+deb8u4) ...
dpkg: error processing package nginx-common (--install):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (215-17+deb8u5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Errors were encountered while processing:
 nginx-common


This prevents clean package updates.

The fix implemented downstream, considered a Security Regression update
in Ubuntu, was to change the line referenced above to the following:

dpkg --compare-versions "$1" lt-nl "1.6.2-5+deb8u3" || return 0


This will force an "OK" status code when the version check fails, and
permit updating.


Please update this ASAP, *long before* we have to deal with this as a
core problem in the package.



------
Thomas

Reply via email to