unblock: busybox/1:1.22.0-10
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package busybox. Last upload has one security bugfix
(CVE-2014-4607, #768945), the fix is from upstream stable branch,
fixing an integer overflow in lzo decompressor; it adds a Built-Using
control field for busybox-static variant (#768926), and also arranges
build system to only produce binary or indep .debs (or both), depending
on the d/rules target (binary-all vs binary-indep vs binary) -- this
is a long-standing lintian bug which I overlooked previously.
(The Built-Using field generation is a bit fun here: I asked on IRC
how people identify which libc is in use, and got various somewhat-
incpmplete replies (the prob is that on different arches, libc package
is named differently). So I invented my own way for busybox, because
this package allows me to do that -- I took the contents of $shlibs:Depends
variable for the dynamically-linked version, and transformed it into
a list of sources required for Built-Using using dpkg-query.
There's no code changes except the lzo decompression bugfix, only
packaging changes.
Thank you!
/mjt
unblock busybox/1:1.22.0-10
diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog 2014-09-30 08:50:20.000000000 +0400
+++ busybox-1.22.0/debian/changelog 2014-11-11 17:07:46.000000000 +0300
@@ -1,3 +1,15 @@
+busybox (1:1.22.0-10) unstable; urgency=high
+
+ * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
+ * add Built-Using control field for -static, deriving it from
+ regular build (this will be glibc) (Closes: #768926)
+ * install only arch/indep deb as requested by binary-arch or binary-indep
+ target. This fixes a long-standing lintian error, when package build
+ alway produces busybox-syslogd package which is arch:all and should not
+ be built on a buildd.
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Tue, 11 Nov 2014 17:07:34 +0300
+
busybox (1:1.22.0-9) unstable; urgency=medium
* cherry-pick find /BITS patch from upstream (Closes: #760637)
diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control
--- busybox-1.22.0/debian/control 2014-09-30 08:35:20.000000000 +0400
+++ busybox-1.22.0/debian/control 2014-11-10 15:06:53.000000000 +0300
@@ -33,6 +33,7 @@
Package: busybox-static
Architecture: any
+Built-Using: ${built-using}
Depends: ${shlibs:Depends}, ${misc:Depends}
Conflicts: busybox
Replaces: busybox
diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch
--- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 1970-01-01 03:00:00.000000000 +0300
+++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 2014-11-10 15:06:53.000000000 +0300
@@ -0,0 +1,67 @@
+From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 30 Jun 2014 10:14:34 +0200
+Subject: lzop: add overflow check
+Bug-Debian: http://bugs.debian.org/768945
+
+See CVE-2014-4607
+http://www.openwall.com/lists/oss-security/2014/06/26/20
+
+function old new delta
+lzo1x_decompress_safe 1010 1031 +21
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/liblzo.h | 2 ++
+ archival/libarchive/lzo1x_d.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
+index 843997c..4596620 100644
+--- a/archival/libarchive/liblzo.h
++++ b/archival/libarchive/liblzo.h
+@@ -76,11 +76,13 @@
+ # define TEST_IP (ip < ip_end)
+ # define NEED_IP(x) \
+ if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun
+
+ # undef TEST_OP /* don't need both of the tests here */
+ # define TEST_OP 1
+ # define NEED_OP(x) \
+ if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun
+
+ #define HAVE_ANY_OP 1
+
+diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
+index 9bc1270..40b167e 100644
+--- a/archival/libarchive/lzo1x_d.c
++++ b/archival/libarchive/lzo1x_d.c
+@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ ip++;
+ NEED_IP(1);
+ }
++ TEST_IV(t);
+ t += 15 + *ip++;
+ }
+ /* copy literals */
+@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ ip++;
+ NEED_IP(1);
+ }
++ TEST_IV(t);
+ t += 31 + *ip++;
+ }
+ #if defined(COPY_DICT)
+@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ ip++;
+ NEED_IP(1);
+ }
++ TEST_IV(t);
+ t += 7 + *ip++;
+ }
+ #if defined(COPY_DICT)
+--
+1.7.10.4
+
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series 2014-09-09 10:50:49.000000000 +0400
+++ busybox-1.22.0/debian/patches/series 2014-11-10 15:06:53.000000000 +0300
@@ -6,6 +6,7 @@
libarchive-open_zipped-does-not-need-to-check-extensions.diff
libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
zcat:-complain-if-input-is-not-compressed.diff
+lzop-add-overflow-check-CVE-2014-4607.patch
# submitted fixes
do-not-fail-on-missing-SIGPWR.patch
diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules
--- busybox-1.22.0/debian/rules 2014-09-30 08:49:10.000000000 +0400
+++ busybox-1.22.0/debian/rules 2014-11-11 17:06:54.000000000 +0300
@@ -126,15 +126,22 @@
rm -rf ${b}
dh_clean
-binary-arch: ${b}/stamp-build
+# define $a variable to be one of -i (indep), -a (arch) or nothing (both)
+a :=
+binary-indep: a := -i
+binary-indep: install
+binary-arch: a := -a
+binary-arch: install
+binary: install
+
+install: ${b}/stamp-build
dh_testroot
dh_testdir
dh_prep
- dh_installdirs
- dh_installdocs
- dh_installchangelogs
- dh_install
+ dh_installdocs $a
+ dh_installchangelogs $a
+ dh_install $a
# busybox
dh_install -pbusybox ${b}/deb/busybox /bin
@@ -165,21 +172,28 @@
# common actions
- dh_strip
- dh_link
- dh_compress
- dh_fixperms
- dh_installdeb
- dh_shlibdeps
- dh_gencontrol
- dh_md5sums
- dh_builddeb
-
-binary: binary-indep binary-arch
+ dh_strip $a
+ dh_link $a
+ dh_compress $a
+ dh_fixperms $a
+ dh_installdeb $a
+ dh_shlibdeps $a
+
+# after shlibdeps finished, grab ${shlibs:Depends} from busybox package
+# and transform it into Built-Using field.
+ if [ -f debian/busybox.substvars ]; then \
+ pkgs=$$(sed -n -e's/([^)]*)//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \
+ srcs="$$(dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $$pkgs)"; \
+ echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \
+ fi
+
+ dh_gencontrol $a
+ dh_md5sums $a
+ dh_builddeb $a
.PHONY: binary binary-arch binary-indep \
build build-arch build-indep \
- clean setup
+ clean setup install
.PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \
${b}/stamp-%
Reply to: