Package: debian-security-support
Version: 1:12+2025.05.10
Severity: important
Hello there,
check-security-support doesn't identify binary packages whose version is different than the source package. A particular case is binNMU'ed
packages. For example, buildah is currently installed in my bookworm
machine. The dpkg-query used by check-security-support returns this:
install ok installed buildah 1.28.2+ds1-3+deb12u1+b1 golang-github-containers-buildah (1.28.2+ds1-3+deb12u1)
And the grep call [1] used to compare the list of installed packages
against those listed in one of the files expects to match the whole line
(-x), being line the third element of "binary version source". Being
source "golang-github-containers-buildah (1.28.2+ds1-3+deb12u1)" in the
buildah case.
[1]
https://salsa.debian.org/debian/debian-security-support/-/blob/2c7aecdb3a19751f578269256491c86e0dd4dbf0/check-support-status.in#L182
I wonder if the following change would be enough and safe:
diff --git a/check-support-status.in b/check-support-status.in
index 26660c8..f65bed7 100755
--- a/check-support-status.in
+++ b/check-support-status.in
@@ -160,7 +160,7 @@ trap "rm -rf '$TEMPDIR'" 0
# Get list of installed packages
INSTALLED_LIST="$TEMPDIR/installed"
-LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${Source}\n' |
+LC_ALL=C [% DPKG_QUERY %] --show --showformat '${Status}\t${binary:Package}\t${Version}\t${source:Package}\n' |
[% AWK %] '($1=="install"){print}' |
[% AWK %] -F'\t' '{if($4==""){print $2"\t"$3"\t"$2}else{print $2"\t"$3"\t"$4}}' >"$INSTALLED_LIST"
And will continue to handle this tomorrow.
Cheers,
-- Santiago
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaC1HZwAKCRAn3j1FEEiG 74cOAP9hQc0CuHNuc8G4+ogHgH4kHd6F7WAh9J/Cs7zTo9tnkwD+MAL93qTbcL1u q9XWVrLiryHi0lERleEhXCvbazn5cAk=
=fGMg
-----END PGP SIGNATURE-----
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)