Forum: >>> Magnum BBS <<<

Possible workaround/fix for usrmerge issues with dpkg-query -S (#858331

From Eric de Ruiter@21:1/5 to All on Sat Jul 8 16:00:02 2023

Hi,

Last week I discovered an issue with dpkg-query -S and the usrmerge
with the phpmyadmin docker container; I proposed a fix for the
phpmyadmin container and it turned out a lot of other containers have
the same pattern and were likewise affected by this (see https://github.com/docker-library/official-images/pull/14960)

The rootcause of the issue is that dpkg-query -S only supports
searching on the paths that listed in the package; it does not
know/care about symlinks; so with the usrmerge /lib and /usr/lib are
now the same; but some libs install to /lib while others install to
/usr/lib. This causes issues with scripts that rely on dpkg-query -S
to find out the package an installed library belongs to. Especially if
you try to find the package of a dependency with ldd and dpkg-query -S
(as ldd will prefer the /lib entry it finds)

I proposed a workaround/fix for this in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848622#27 and I now
have a proof of concept implementation of this.

The idea is simple: if you specify you want to match on realpath (for
now by prefixing the path with "realpath:"); it will search for files
matching the basename of the given path and does an extra check to
only return matches where the realpath of the given path will match
the realpath of the partial match it found.
This way you minimize the number of realpath calls that need to be
done and don't need to hardcode any path mappings into dpkg-query.

I don't think this implementation is particularly pretty (especially
the "realpath:" prefix to trigger it); but this was the easiest way
for me to prototype this.
It is meant as a starting point for the conversation if this is
something you'd consider supporting in dpkg-query; I am happy to make
any changes based on your suggestions.

I have attached the patch; but also have a github repo available: https://github.com/ederuiter/dpkg/tree/fix/bug-848622-realpath

--
Best regards,

Eric de Ruiter

RnJvbSAyMjRlNWJmNTM0NWQ2ZmRjMmJiNmQ4NjVjNDRhNzVhYzkyYWU0NjJlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIGRlIFJ1aXRlciA8ZXJpY0B0aGlzaXNkZXZlbG9wbWVu dC5ubD4KRGF0ZTogU2F0LCA4IEp1bCAyMDIzIDEzOjA2OjQ5ICswMjAwClN1YmplY3Q6IFtQQVRD SF0gW1dJUF0gcHJvb2Ytb2YtY29uY2VwdCBpbXBsZW1lbnRhdGluIGZvciByZWFscGF0aCBzdXBw b3J0IGluCiBkcGtnLXF1ZXJ5IC1TIChmaXhlcyAjODQ4NjIyICYgIzg1ODMzMSkKCi0tLQogc3Jj L3F1ZXJ5L21haW4uYyB8IDQxICsrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrCiAxIGZpbGUgY2hhbmdlZCwgNDEgaW5zZXJ0aW9ucygrKQoKZGlmZiAtLWdpdCBhL3NyYy9x dWVyeS9tYWluLmMgYi9zcmMvcXVlcnkvbWFpbi5jCmluZGV4IDI0ZGNjYzhjNC4uYzdjZTYwZjRh IDEwMDY0NAotLS0gYS9zcmMvcXVlcnkvbWFpbi5jCisrKyBiL3NyYy9xdWVyeS9tYWluLmMKQEAg LTMzMSw2ICszMzEsNDMgQEAgc2VhcmNob3V0cHV0KHN0cnVjdCBmc3lzX25hbWVub2RlICpuYW1l bm9kZSkKICAgcmV0dXJuIGZvdW5kICsgKG5hbWVub2RlLT5kaXZlcnQgPyAxIDogMCk7CiB9CiAK K3N0YXRpYyBpbnQKK3NlYXJjaGZpbGVfcmVhbHBhdGgoY29uc3QgY2hhciAqZmlsZSkKK3sKKyAg c3RydWN0IGZzeXNfaGFzaF9pdGVyICppdGVyOworICBjaGFyICpyZWFsLCAqcmVzb2x2ZWQsICpu YW1lbm9kZV9yZWFsOworICBzdHJ1Y3QgdmFyYnVmIHBhdGggPSBWQVJCVUZfSU5JVDsKKyAgc3Ry dWN0IGZzeXNfbmFtZW5vZGUgKm5hbWVub2RlOworICBpbnQgZm91bmQgPSAwOworCisgIHZhcmJ1 Zl9yZXNldCgmcGF0aCk7CisgIHZhcmJ1Zl9hZGRfc3RyKCZwYXRoLCAiKi8iKTsKKyAgdmFyYnVm X2FkZF9zdHIoJnBhdGgsIHBhdGhfYmFzZW5hbWUoZmlsZSkpOworICB2YXJidWZfZW5kX3N0cigm cGF0aCk7CisKKyAgcmVhbCA9IHJlYWxwYXRoKGZpbGUsIE5VTEwpOworICBpZiAocmVhbCA9PSBO VUxMKSB7CisgICAgbm90aWNlKF8oInVuYWJsZSB0byBnZXQgcmVhbHBhdGggb2YgJXM7IHJlc3Vs dHMgbWlnaHQgbm90IGJlIGNvbXBsZXRlIiksIGZpbGUpOworICAgIHJldHVybiBmb3VuZDsKKyAg fQorICBpdGVyID0gZnN5c19oYXNoX2l0ZXJfbmV3KCk7CisgIHJlc29sdmVkID0gbWFsbG9jKFBB VEhfTUFYKTsKKyAgd2hpbGUgKChuYW1lbm9kZSA9IGZzeXNfaGFzaF9pdGVyX25leHQoaXRlcikp ICE9IE5VTEwpIHsKKyAgICBpZiAoZm5tYXRjaChwYXRoLmJ1ZixuYW1lbm9kZS0+bmFtZSwwKSkg Y29udGludWU7CisgICAgbmFtZW5vZGVfcmVhbCA9IHJlYWxwYXRoKG5hbWVub2RlLT5uYW1lLCBy ZXNvbHZlZCk7CisgICAgaWYgKG5hbWVub2RlX3JlYWwgPT0gTlVMTCkgeworICAgICAgbm90aWNl KF8oInVuYWJsZSB0byBnZXQgcmVhbHBhdGggb2YgJXM7IHJlc3VsdHMgbWlnaHQgbm90IGJlIGNv bXBsZXRlIiksIG5hbWVub2RlLT5uYW1lKTsKKyAgICB9CisgICAgaWYgKHN0cmNtcChyZWFsLCBu YW1lbm9kZV9yZWFsKSAhPSAwKSBjb250aW51ZTsKKyAgICBmb3VuZCs9IHNlYXJjaG91dHB1dChu YW1lbm9kZSk7CisgIH0KKyAgZnN5c19oYXNoX2l0ZXJfZnJlZShpdGVyKTsKKyAgZnJlZShyZWFs KTsKKyAgZnJlZShyZXNvbHZlZCk7CisgIHZhcmJ1Zl9kZXN0cm95KCZwYXRoKTsKKyAgcmV0dXJu IGZvdW5kOworfQorCiBzdGF0aWMgaW50CiBzZWFyY2hmaWxlcyhjb25zdCBjaGFyICpjb25zdCAq YXJndikKIHsKQEAgLTM1MCw2ICszODcsOSBAQCBzZWFyY2hmaWxlcyhjb25zdCBjaGFyICpjb25z dCAqYXJndikKICAgICBzdHJ1Y3QgZnN5c19uYW1lbm9kZSAqbmFtZW5vZGU7CiAgICAgaW50IGZv dW5kID0gMDsKIAorICAgIGlmIChzdHJuY21wKHRoaXNhcmcsICJyZWFscGF0aDoiLCA5KSA9PSAw KSB7CisgICAgICBmb3VuZCArPSBzZWFyY2hmaWxlX3JlYWxwYXRoKCZ0aGlzYXJnWzldKTsKKyAg ICB9IGVsc2UgewogICAgIGlmICghc3RyY2hyKCIqWz8vIiwqdGhpc2FyZykpIHsKICAgICAgIHZh cmJ1Zl9yZXNldCgmdmIpOwogICAgICAgdmFyYnVmX2FkZF9jaGFyKCZ2YiwgJyonKTsKQEAgLTM3 OCw2ICs0MTgsNyBAQCBzZWFyY2hmaWxlcyhjb25zdCBjaGFyICpjb25zdCAqYXJndikKICAgICAg IH0KICAgICAgIGZzeXNfaGFzaF9pdGVyX2ZyZWUoaXRlcik7CiAgICAgfQorICAgIH0KICAgICBp ZiAoIWZvdW5kKSB7CiAgICAgICBub3RpY2UoXygibm8gcGF0aCBmb3VuZCBtYXRjaGluZyBwYXR0 ZXJuICVzIiksIHRoaXNhcmcpOwogICAgICAgZmFpbHVyZXMrKzsKLS0gCjIuMjUuMQoK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Simon Richter@21:1/5 to Eric de Ruiter on Mon Jul 10 04:50:01 2023

Hi,

On 7/8/23 22:55, Eric de Ruiter wrote:

The idea is simple: if you specify you want to match on realpath (for
now by prefixing the path with "realpath:"); it will search for files matching the basename of the given path and does an extra check to
only return matches where the realpath of the given path will match
the realpath of the partial match it found.

We mostly need to define an API here. The interesting callers do stuff like

$ dpkg -S /lib/x86_64-linux-gnu/libselinux.so.1
/lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libpcre2-8.so.0 libselinux1:amd64: /lib/x86_64-linux-gnu/libselinux.so.1
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6
dpkg-query: no path found matching pattern /lib/x86_64-linux-gnu/libpcre2-8.so.0

so multiple file names in a single call, and probably expect the same
file name to be returned to match the response back to the query.

We'd need a new format, for example like

libc6:amd64: /usr/lib/x86_64-linux-gnu/libc.so.6 (/lib/x86_64-linux-gnu/libc.so.6)

and a flag to enable that format, for clients to use. I haven't invested
much time into that yet, my expectation is that the aliasing
infrastructure I've put into the backend handles this nicely, but the
frontend is something that needs to be coordinated.

Simon

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Eric de Ruiter@21:1/5 to All on Mon Jul 10 11:30:01 2023

Hi Simon,

so multiple file names in a single call, and probably expect the same
file name to be returned to match the response back to the query.

We'd need a new format, for example like

libc6:amd64: /usr/lib/x86_64-linux-gnu/libc.so.6 (/lib/x86_64-linux-gnu/libc.so.6)

What if we return it in the existing format; but just output the "real" filename you supplied if it matches via the realpath.
So for your example it would be:

libselinux1:amd64: /lib/x86_64-linux-gnu/libselinux.so.1
libc6:amd64: /lib/x86_64-linux-gnu/libc.so.6
libpcre2-8-0:amd64: /lib/x86_64-linux-gnu/libpcre2-8.so.0

In the attached patch I have implemented the change to output the
"real" path and also changed the realpath search to not require an
extra argument; but instead just use it as a fallback when no match
is found with the normal path lookup. This way the realpath change
is transparent and all existing callers benefit from this change.

I think that transparency is important as a lot of container builds are dependent on this. For example look at this github search: https://github.com/search?q=%22dpkg-query+-S%22&type=code
to get an idea about the number of users of dpkg-query -S
(yes a lot of the matches are dpkg-query -s as the search is case
in-sensitive; but still a quite long list that are potentially impacted by #858331 / #848622)

--
Best regards,

Eric de Ruiter

ZGlmZiAtLWdpdCBhL3NyYy9xdWVyeS9tYWluLmMgYi9zcmMvcXVlcnkvbWFpbi5jCmluZGV4IDI0 ZGNjYzhjNC4uY2FmMDUwNGM1IDEwMDY0NAotLS0gYS9zcmMvcXVlcnkvbWFpbi5jCisrKyBiL3Ny Yy9xdWVyeS9tYWluLmMKQEAgLTI5NCw3ICsyOTQsNyBAQCBsaXN0cGFja2FnZXMoY29uc3QgY2hh ciAqY29uc3QgKmFyZ3YpCiB9CiAKIHN0YXRpYyBpbnQKLXNlYXJjaG91dHB1dChzdHJ1Y3QgZnN5 c19uYW1lbm9kZSAqbmFtZW5vZGUpCitzZWFyY2hvdXRwdXQoc3RydWN0IGZzeXNfbmFtZW5vZGUg Km5hbWVub2RlLCBjb25zdCBjaGFyICpyZWFscGF0aCkKIHsKICAgc3RydWN0IGZzeXNfbm9kZV9w a2dzX2l0ZXIgKml0ZXI7CiAgIHN0cnVjdCBwa2dpbmZvICpwa2dfb3duZXI7CkBAIC0zMjcsMTAg KzMyNyw0NyBAQCBzZWFyY2hvdXRwdXQoc3RydWN0IGZzeXNfbmFtZW5vZGUgKm5hbWVub2RlKQog ICB9CiAgIGZzeXNfbm9kZV9wa2dzX2l0ZXJfZnJlZShpdGVyKTsKIAotICBpZiAoZm91bmQpIHBy aW50ZigiOiAlc1xuIixuYW1lbm9kZS0+bmFtZSk7CisgIGlmIChmb3VuZCkgcHJpbnRmKCI6ICVz XG4iLHJlYWxwYXRoID8gcmVhbHBhdGggOiBuYW1lbm9kZS0+bmFtZSk7CiAgIHJldHVybiBmb3Vu ZCArIChuYW1lbm9kZS0+ZGl2ZXJ0ID8gMSA6IDApOwogfQogCitzdGF0aWMgaW50CitzZWFyY2hm aWxlX3JlYWxwYXRoKGNvbnN0IGNoYXIgKmZpbGUpCit7CisgIHN0cnVjdCBmc3lzX2hhc2hfaXRl ciAqaXRlcjsKKyAgY2hhciAqcmVhbCwgKnJlc29sdmVkLCAqbmFtZW5vZGVfcmVhbDsKKyAgc3Ry dWN0IHZhcmJ1ZiBwYXRoID0gVkFSQlVGX0lOSVQ7CisgIHN0cnVjdCBmc3lzX25hbWVub2RlICpu YW1lbm9kZTsKKyAgaW50IGZvdW5kID0gMDsKKworICB2YXJidWZfcmVzZXQoJnBhdGgpOworICB2 YXJidWZfYWRkX3N0cigmcGF0aCwgIiovIik7CisgIHZhcmJ1Zl9hZGRfc3RyKCZwYXRoLCBwYXRo X2Jhc2VuYW1lKGZpbGUpKTsKKyAgdmFyYnVmX2VuZF9zdHIoJnBhdGgpOworCisgIHJlYWwgPSBy ZWFscGF0aChmaWxlLCBOVUxMKTsKKyAgaWYgKHJlYWwgPT0gTlVMTCkgeworICAgIG5vdGljZShf KCJ1bmFibGUgdG8gZ2V0IHJlYWxwYXRoIG9mICVzOyByZXN1bHRzIG1pZ2h0IG5vdCBiZSBjb21w bGV0ZSIpLCBmaWxlKTsKKyAgICByZXR1cm4gZm91bmQ7CisgIH0KKyAgaXRlciA9IGZzeXNfaGFz aF9pdGVyX25ldygpOworICByZXNvbHZlZCA9IG1hbGxvYyhQQVRIX01BWCk7CisgIHdoaWxlICgo bmFtZW5vZGUgPSBmc3lzX2hhc2hfaXRlcl9uZXh0KGl0ZXIpKSAhPSBOVUxMKSB7CisgICAgaWYg KGZubWF0Y2gocGF0aC5idWYsbmFtZW5vZGUtPm5hbWUsMCkpIGNvbnRpbnVlOworICAgIG5hbWVu b2RlX3JlYWwgPSByZWFscGF0aChuYW1lbm9kZS0+bmFtZSwgcmVzb2x2ZWQpOworICAgIGlmIChu YW1lbm9kZV9yZWFsID09IE5VTEwpIHsKKyAgICAgIG5vdGljZShfKCJ1bmFibGUgdG8gZ2V0IHJl YWxwYXRoIG9mICVzOyByZXN1bHRzIG1pZ2h0IG5vdCBiZSBjb21wbGV0ZSIpLCBuYW1lbm9kZS0+ bmFtZSk7CisgICAgfQorICAgIGlmIChzdHJjbXAocmVhbCwgbmFtZW5vZGVfcmVhbCkgIT0gMCkg Y29udGludWU7CisgICAgZm91bmQgKz0gc2VhcmNob3V0cHV0KG5hbWVub2RlLCBmaWxlKTsKKyAg fQorICBmc3lzX2hhc2hfaXRlcl9mcmVlKGl0ZXIpOworICBmcmVlKHJlYWwpOworICBmcmVlKHJl c29sdmVkKTsKKyAgdmFyYnVmX2Rlc3Ryb3koJnBhdGgpOworICByZXR1cm4gZm91bmQ7Cit9CisK IHN0YXRpYyBpbnQKIHNlYXJjaGZpbGVzKGNvbnN0IGNoYXIgKmNvbnN0ICphcmd2KQogewpAQCAt MzY3LDE0ICs0MDQsMTcgQEAgc2VhcmNoZmlsZXMoY29uc3QgY2hhciAqY29uc3QgKmFyZ3YpCiAg ICAgICB2YXJidWZfdHJ1bmMoJnBhdGgsIHBhdGhfdHJpbV9zbGFzaF9zbGFzaGRvdChwYXRoLmJ1 ZikpOwogCiAgICAgICBuYW1lbm9kZSA9IGZzeXNfaGFzaF9maW5kX25vZGUocGF0aC5idWYsIDAp OwotICAgICAgZm91bmQgKz0gc2VhcmNob3V0cHV0KG5hbWVub2RlKTsKKyAgICAgIGZvdW5kICs9 IHNlYXJjaG91dHB1dChuYW1lbm9kZSwgTlVMTCk7CisgICAgICBpZiAoIWZvdW5kKSB7CisgICAg ICAgICAgZm91bmQgKz0gc2VhcmNoZmlsZV9yZWFscGF0aChwYXRoLmJ1Zik7CisgICAgICB9CiAg ICAgfSBlbHNlIHsKICAgICAgIHN0cnVjdCBmc3lzX2hhc2hfaXRlciAqaXRlcjsKIAogICAgICAg aXRlciA9IGZzeXNfaGFzaF9pdGVyX25ldygpOwogICAgICAgd2hpbGUgKChuYW1lbm9kZSA9IGZz eXNfaGFzaF9pdGVyX25leHQoaXRlcikpICE9IE5VTEwpIHsKICAgICAgICAgaWYgKGZubWF0Y2go dGhpc2FyZyxuYW1lbm9kZS0+bmFtZSwwKSkgY29udGludWU7Ci0gICAgICAgIGZvdW5kKz0gc2Vh cmNob3V0cHV0KG5hbWVub2RlKTsKKyAgICAgICAgZm91bmQgKz0gc2VhcmNob3V0cHV0KG5hbWVu b2RlLCBOVUxMKTsKICAgICAgIH0KICAgICAgIGZzeXNfaGFzaF9pdGVyX2ZyZWUoaXRlcik7CiAg ICAgfQo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Keyop
  Sun May 5 19:26:27 2024
  from Huddersfield, West Yorkshire via SSH
- Keyop
  Sun May 5 19:26:11 2024
  from Huddersfield, West Yorkshire via SSH
- Bob Worm
  Mon May 6 11:44:29 2024
  from Wales, Uk via Telnet
- Bob Worm
  Tue May 7 09:06:52 2024
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	300
Nodes:	16 (2 / 14)
Uptime:	40:52:07
Calls:	6,708
Calls today:	1
Files:	12,243
Messages:	5,353,727

Possible workaround/fix for usrmerge issues with dpkg-query -S (#858331

Who's Online

Recent Visitors

System Info