Debian Bug report logs - #858521

diaspora-common: does 'rm -rf /' on purge

Reported by: Andreas Beckmann <anbe@debian.org> Date: Thu, 23 Mar 2017 01:21:02 UTC Severity: critical Found in version diaspora-installer/0.6.3.0+debian3 Fixed in version diaspora-installer/0.6.3.0+debian4 Done: Pirate Praveen <praveen@onenetbeyond.org> Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> :

Bug#858521 ; Package diaspora-common . (Thu, 23 Mar 2017 01:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Beckmann <anbe@debian.org> :

New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> . (Thu, 23 Mar 2017 01:21:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: diaspora-common: does 'rm -rf /' on purge Date: Thu, 23 Mar 2017 02:17:28 +0100

Package: diaspora-common Version: 0.6.3.0+debian3 Severity: critical Justification: breaks the whole system User: debian-qa@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package makes havoc in the chroot. >From the attached log (scroll to the bottom...): 1m47.3s DEBUG: Starting command: ['chroot', '/tmp/piupartss/tmpOwZDY2', 'dpkg', '--purge', 'diaspora-common'] 1m48.1s DUMP: (Reading database ... 4707 files and directories currently installed.) Purging configuration files for diaspora-common (0.6.3.0+debian3) ... /var/lib/dpkg/info/diaspora-common.postrm: 63: /var/lib/dpkg/info/diaspora-common.postrm: rm: not found dpkg: error processing package diaspora-common (--purge): subprocess installed post-removal script returned error exit status 127 Errors were encountered while processing: diaspora-common 1m48.1s DEBUG: Command failed (status=1), but ignoring error: ['chroot', '/tmp/piupartss/tmpOwZDY2', 'dpkg', '--purge', 'diaspora-common'] 1m48.1s INFO: Running scripts post_purge 1m48.1s DEBUG: Starting command: ['chroot', '/tmp/piupartss/tmpOwZDY2', 'tmp/scripts/post_purge_exceptions'] 1m48.1s DUMP: chroot: failed to run command 'tmp/scripts/post_purge_exceptions': No such file or directory 1m48.1s ERROR: Command failed (status=127): ['chroot', '/tmp/piupartss/tmpOwZDY2', 'tmp/scripts/post_purge_exceptions'] This very much looks like an 'rm -rf /' in the chroot ... rm is gone, sh is gone, ... cheers, Andreas

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> :

Bug#858521 ; Package diaspora-common . (Thu, 23 Mar 2017 07:57:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Henriksson <andreas@fatal.se> :

Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> . (Thu, 23 Mar 2017 07:57:05 GMT) (full text, mbox, link).

Message #10 received at 858521@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se> To: Andreas Beckmann <anbe@debian.org> Cc: 858521@bugs.debian.org Subject: Re: diaspora-common: does 'rm -rf /' on purge Date: Thu, 23 Mar 2017 08:52:29 +0100

Hello! On Thu, Mar 23, 2017 at 02:17:28AM +0100, Andreas Beckmann wrote: > Package: diaspora-common > Version: 0.6.3.0+debian3 > Severity: critical > Justification: breaks the whole system > User: debian-qa@lists.debian.org > Usertags: piuparts > > Hi, > > during a test with piuparts I noticed your package makes havoc in the > chroot. [...] > This very much looks like an 'rm -rf /' in the chroot ... rm is gone, sh is gone, ... Looks like it does 'rm -rf /bin' to me. Here's a completely untested patch which should hopefully prevent disaster. Testing help welcome. The package is still very likely RC buggy though. This patch just tries to avoid the disaster of hosing the system. (Consider for example the case where you already have a user named "diaspora", making the install fail and then disaster again strikes when you try to remove/purge your way out of the failed install removing the user and all its data. Just one example out of many. Nowhere does it seem to account for conffiles having been removed by the admin as another example. These maintainer scripts are just waaaaaay to buggy/unreliable.) HTH Regards, Andreas Henriksson

Reply sent to Pirate Praveen <praveen@onenetbeyond.org> :

You have taken responsibility. (Thu, 23 Mar 2017 14:39:06 GMT) (full text, mbox, link).

Notification sent to Andreas Beckmann <anbe@debian.org> :

Bug acknowledged by developer. (Thu, 23 Mar 2017 14:39:06 GMT) (full text, mbox, link).

Message #15 received at 858521-done@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@onenetbeyond.org> To: 858521-done@bugs.debian.org Cc: "N:" <control@bugs.debian.org> Subject: fixed in diaspora-installer/0.6.3.0+debian4 Date: Thu, 23 Mar 2017 20:05:58 +0530

fixed -1 diaspora-installer/0.6.3.0+debian4

Marked as fixed in versions diaspora-installer/0.6.3.0+debian4. Request was from Pirate Praveen <praveen@onenetbeyond.org> to control@bugs.debian.org . (Thu, 23 Mar 2017 14:45:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org . (Fri, 21 Apr 2017 07:26:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.