Bug#694368: libfuzzy{2, -dev}: missing Breaks+Replaces: ssdeep (<< 2.6)

Andreas Beckmann debian at abeckmann.de
Sun Nov 25 21:20:33 UTC 2012 

Package: libfuzzy2,libfuzzy-dev
Version: 2.6-1
Severity: serious
User: treinen at debian.org
Usertags: edos-file-overwrite

Architecture: amd64
Distribution: squeeze->wheezy (partial) upgrade

Hi,

automatic installation tests of packages that share a file and at the
same time do not conflict by their package dependency relationships has
detected the following problem:

  Selecting previously deselected package ssdeep.
  (Reading database ... 6286 files and directories currently installed.)
  Unpacking ssdeep (from .../ssdeep_2.5-1_amd64.deb) ...
  Setting up ssdeep (2.5-1) ...

  Selecting previously deselected package libfuzzy2.
  (Reading database ... 6359 files and directories currently installed.)
  Unpacking libfuzzy2 (from .../libfuzzy2_2.7-1_amd64.deb) ...
  dpkg: error processing /var/cache/apt/archives/libfuzzy2_2.7-1_amd64.deb (--unpack):
   trying to overwrite '/usr/lib/libfuzzy.so.2.0.0', which is also in package ssdeep 2.5-1

  Selecting previously deselected package libfuzzy-dev.
  Unpacking libfuzzy-dev (from .../libfuzzy-dev_2.7-1_amd64.deb) ...
  dpkg: error processing /var/cache/apt/archives/libfuzzy-dev_2.7-1_amd64.deb (--unpack):
   trying to overwrite '/usr/include/fuzzy.h', which is also in package ssdeep 2.5-1


This is a serious bug as it makes installation/upgrade fail, and
violates sections 7.6.1 and 10.1 of the policy.

As this problem can be demonstrated during partial upgrades from squeeze
to wheezy (but not within squeeze or wheezy itself), this indicates a
missing or insufficiently versioned Replaces+Breaks relationship.
But since this particular upgrade ordering is not forbidden by any
dependency relationship, it is possible that apt (or $PACKAGE_MANAGER)
will use this erroneus path on squeeze->wheezy upgrades.

Here is a list of files that are known to be shared by both packages
(according to the Contents files for squeeze and wheezy on amd64, which
may be slightly out of sync):

	usr/lib/libfuzzy.so.2
	usr/lib/libfuzzy.so.2.0.0

	usr/include/fuzzy.h
	usr/lib/libfuzzy.so

The library was moved to a separate package recently:

  ssdeep (2.6-1) unstable; urgency=low
   * Split the libfuzzy library from the ssdeep package.


The following relationships are currently defined:

  Package:   libfuzzy2, libfuzzy-dev
  Conflicts: n/a
  Breaks:    n/a
  Replaces:  n/a

The following relationships should be added for a clean takeover of
these files
(http://www.debian.org/doc/debian-policy/ch-relationships.html#s-replaces):

  Package:  libfuzzy2
  Breaks:   ssdeep (<< 2.6)
  Replaces: ssdeep (<< 2.6)

  Package:  libfuzzy-dev
  Breaks:   ssdeep (<< 2.6)
  Replaces: ssdeep (<< 2.6)


Cheers,

Andreas

PS: for more information about the detection of file overwrite errors
of this kind see http://edos.debian.net/file-overwrites/.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssdeep=2.5-1_libfuzzy2=2.7-1.log.gz
Type: application/x-gzip
Size: 5639 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20121125/8762eb56/attachment.bin>

More information about the forensics-devel mailing list