unblock: busybox/1:1.22.0-10

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-boot@lists.debian.org
Subject: unblock: busybox/1:1.22.0-10
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Tue, 11 Nov 2014 19:08:26 +0400
Message-id: <[🔎] 20141111160826.9558.77721.reportbug@gandalf.local>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package busybox.  Last upload has one security bugfix
(CVE-2014-4607, #768945), the fix is from upstream stable branch,
fixing an integer overflow in lzo decompressor; it adds a Built-Using
control field for busybox-static variant (#768926), and also arranges
build system to only produce binary or indep .debs (or both), depending
on the d/rules target (binary-all vs binary-indep vs binary) -- this
is a long-standing lintian bug which I overlooked previously.

(The Built-Using field generation is a bit fun here: I asked on IRC
how people identify which libc is in use, and got various somewhat-
incpmplete replies (the prob is that on different arches, libc package
is named differently).  So I invented my own way for busybox, because
this package allows me to do that -- I took the contents of $shlibs:Depends
variable for the dynamically-linked version, and transformed it into
a list of sources required for Built-Using using dpkg-query.

There's no code changes except the lzo decompression bugfix, only
packaging changes.

Thank you!

/mjt

unblock busybox/1:1.22.0-10

diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog	2014-09-30 08:50:20.000000000 +0400
+++ busybox-1.22.0/debian/changelog	2014-11-11 17:07:46.000000000 +0300
@@ -1,3 +1,15 @@
+busybox (1:1.22.0-10) unstable; urgency=high
+
+  * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
+  * add Built-Using control field for -static, deriving it from
+    regular build (this will be glibc) (Closes: #768926)
+  * install only arch/indep deb as requested by binary-arch or binary-indep
+    target.  This fixes a long-standing lintian error, when package build
+    alway produces busybox-syslogd package which is arch:all and should not
+    be built on a buildd.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 11 Nov 2014 17:07:34 +0300
+
 busybox (1:1.22.0-9) unstable; urgency=medium
 
   * cherry-pick find /BITS patch from upstream (Closes: #760637)
diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control
--- busybox-1.22.0/debian/control	2014-09-30 08:35:20.000000000 +0400
+++ busybox-1.22.0/debian/control	2014-11-10 15:06:53.000000000 +0300
@@ -33,6 +33,7 @@
 
 Package: busybox-static
 Architecture: any
+Built-Using: ${built-using}
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: busybox
 Replaces: busybox
diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch
--- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	1970-01-01 03:00:00.000000000 +0300
+++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	2014-11-10 15:06:53.000000000 +0300
@@ -0,0 +1,67 @@
+From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 30 Jun 2014 10:14:34 +0200
+Subject: lzop: add overflow check
+Bug-Debian: http://bugs.debian.org/768945
+
+See CVE-2014-4607
+http://www.openwall.com/lists/oss-security/2014/06/26/20
+
+function                                             old     new   delta
+lzo1x_decompress_safe                               1010    1031     +21
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/liblzo.h  |    2 ++
+ archival/libarchive/lzo1x_d.c |    3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
+index 843997c..4596620 100644
+--- a/archival/libarchive/liblzo.h
++++ b/archival/libarchive/liblzo.h
+@@ -76,11 +76,13 @@
+ #    define TEST_IP             (ip < ip_end)
+ #    define NEED_IP(x) \
+             if ((unsigned)(ip_end - ip) < (unsigned)(x))  goto input_overrun
++#    define TEST_IV(x)          if ((x) > (unsigned)0 - (511)) goto input_overrun
+ 
+ #    undef TEST_OP              /* don't need both of the tests here */
+ #    define TEST_OP             1
+ #    define NEED_OP(x) \
+             if ((unsigned)(op_end - op) < (unsigned)(x))  goto output_overrun
++#    define TEST_OV(x)          if ((x) > (unsigned)0 - (511)) goto output_overrun
+ 
+ #define HAVE_ANY_OP 1
+ 
+diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
+index 9bc1270..40b167e 100644
+--- a/archival/libarchive/lzo1x_d.c
++++ b/archival/libarchive/lzo1x_d.c
+@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 				ip++;
+ 				NEED_IP(1);
+ 			}
++			TEST_IV(t);
+ 			t += 15 + *ip++;
+ 		}
+ 		/* copy literals */
+@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 31 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 7 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+-- 
+1.7.10.4
+
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series	2014-09-09 10:50:49.000000000 +0400
+++ busybox-1.22.0/debian/patches/series	2014-11-10 15:06:53.000000000 +0300
@@ -6,6 +6,7 @@
 libarchive-open_zipped-does-not-need-to-check-extensions.diff
 libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
 zcat:-complain-if-input-is-not-compressed.diff
+lzop-add-overflow-check-CVE-2014-4607.patch
 
 # submitted fixes
 do-not-fail-on-missing-SIGPWR.patch
diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules
--- busybox-1.22.0/debian/rules	2014-09-30 08:49:10.000000000 +0400
+++ busybox-1.22.0/debian/rules	2014-11-11 17:06:54.000000000 +0300
@@ -126,15 +126,22 @@
 	rm -rf ${b}
 	dh_clean
 
-binary-arch: ${b}/stamp-build
+# define $a variable to be one of -i (indep), -a (arch) or nothing (both)
+a :=
+binary-indep: a := -i
+binary-indep: install
+binary-arch: a := -a
+binary-arch: install
+binary: install
+
+install: ${b}/stamp-build
 	dh_testroot
 	dh_testdir
 	dh_prep
 
-	dh_installdirs
-	dh_installdocs
-	dh_installchangelogs
-	dh_install
+	dh_installdocs $a
+	dh_installchangelogs $a
+	dh_install $a
 
 # busybox
 	dh_install -pbusybox ${b}/deb/busybox /bin
@@ -165,21 +172,28 @@
 
 # common actions
 
-	dh_strip
-	dh_link
-	dh_compress
-	dh_fixperms
-	dh_installdeb
-	dh_shlibdeps
-	dh_gencontrol
-	dh_md5sums
-	dh_builddeb
-
-binary: binary-indep binary-arch
+	dh_strip $a
+	dh_link $a
+	dh_compress $a
+	dh_fixperms $a
+	dh_installdeb $a
+	dh_shlibdeps $a
+
+# after shlibdeps finished, grab ${shlibs:Depends} from busybox package
+# and transform it into Built-Using field.
+	if [ -f debian/busybox.substvars ]; then \
+	  pkgs=$$(sed -n -e's/([^)]*)//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \
+	  srcs="$$(dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $$pkgs)"; \
+	  echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \
+	fi
+
+	dh_gencontrol $a
+	dh_md5sums $a
+	dh_builddeb $a
 
 .PHONY: binary binary-arch binary-indep \
 	build build-arch build-indep \
-	clean setup
+	clean setup install
 
 .PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \
 	${b}/stamp-%
Reply to:
Follow-Ups:
- Re: Bug#769129: unblock: busybox/1:1.22.0-10
  - From: Michael Tokarev <mjt@tls.msk.ru>
Prev by Date: busybox_1.22.0-10_amd64.changes ACCEPTED into unstable
Next by Date: Bug#769107: debian-installer: grub-installer fails if more than 26 SCSI devices are present
Previous by thread: busybox_1.22.0-10_amd64.changes ACCEPTED into unstable
Next by thread: Re: Bug#769129: unblock: busybox/1:1.22.0-10
Index(es):
- Date
- Thread