The named maintainer script appears to call
chown with a
-R argument, or
find(1) with similar intent.
All such uses are vulnerable to hardlink attacks on mainline (i.e.
non-Debian) kernels that do not set
The security risk arises when when a non-privileged user set links
to files they do not own, such as such as
/var/lib/dpkg/. A superuser's recursive call to
chmod on behalf of a role user account
would then modify the non-owned files in ways that allow the
non-privileged user to manipulate them later.
There are several ways to mitigate the issue in maintainer scripts:
- For a static role user, please call
chownat build time and not during the installation.
- If that is too complicated, use
runuser(1)in the relevant build parts to create files with correct ownership.
- Given a static list of files to change, use non-recursive calls
for each file. (Please do not generate the list with
For more information please consult:
The tag is present in Lintian version
That is the most recent version we know about.
We use semantic versions.
The patch number is a commit step indicator relative to the
release tag in our Git
You can find the detection logic for this version at commit d219a5a. For merge requests, please use the latest version in the Lintian check scripts.