unblock: busybox/1:1.22.0-14
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package busybox. Last upload has one security bugfix
(CVE-2014-4607, #768945), the fix is from upstream stable branch,
fixing an integer overflow in lzo decompressor; it adds a Built-Using
control field for busybox-static variant (#768926), and also arranges
build system to only produce binary or indep .debs (or both), depending
on the d/rules target (binary-all vs binary-indep vs binary) -- this
is a long-standing lintian bug which I overlooked previously.
The busybox-static fix turned out to be a fun case, because I needed
a way to build-conflict on a non-broken libc (because the original
prob is in libc due to #754813), and that turned out to be a not-so-
trivial task, which resulted in several iterations. Meanwhile I
discovered that current glibc is not able to produce working stati-
cally linked executables on hurd which uses nss functions --
statically linked executable on hurd just segfaults. So now,
after a fix for #768926, busybox package does not build on hurd,
while previously it silently produced failing busybox-static.
Hurd people are working on the fix.
(The Built-Using field generation is a bit fun here: I asked on IRC
how people identify which libc is in use, and got various somewhat-
incpmplete replies (the prob is that on different arches, libc package
is named differently). So I invented my own way for busybox, because
this package allows me to do that -- I took the contents of $shlibs:Depends
variable for the dynamically-linked version, and transformed it into
a list of sources required for Built-Using using dpkg-query.)
There's no code changes except the lzo decompression bugfix, only
packaging changes.
Since busybox is used in d-i too, I kindly request for a
udeb-unblock too.
Previously I submitted an unblock request for busybox 1.22.0-10,
as #769129, but that turned out to be a bit preliminary because
of the fun with libc versioned build dependency iterations.
Thank you!
/mjt
unblock busybox/1:1.22.0-14
diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog 2014-09-30 08:50:20.000000000 +0400
+++ busybox-1.22.0/debian/changelog 2014-11-14 12:53:24.000000000 +0300
@@ -1,3 +1,46 @@
+busybox (1:1.22.0-14) medium; urgency=low
+
+ * one more attempt to fix the glibc build-depend for #769190, now
+ using versioned build-dependency on libc-dev-bin which is named
+ this way on all architectures (unlike libc6|libc6.1|libc0.1|libc0.3)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Fri, 14 Nov 2014 12:52:18 +0300
+
+busybox (1:1.22.0-13) unstable; urgency=medium
+
+ * really fix #769190 the hard way, by build-conflicting with all
+ arch-specific names of libc with version <2.19-12 (Closes: #769190)
+ * check if glibc can produce working statically linked binaries
+ by performing a getpwnam("root") call before building (#754813)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Wed, 12 Nov 2014 23:59:30 +0300
+
+busybox (1:1.22.0-12) unstable; urgency=medium
+
+ * fix the previous changelog entry (wrong bug# was "fixed" and typos)
+ * ensure we build against non-broken glibc (>=2.19-12) (Closes: #769190)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Wed, 12 Nov 2014 12:37:11 +0300
+
+busybox (1:1.22.0-11) unstable; urgency=medium
+
+ * fix the built-using generation in the previous upload -- did not
+ work correctly for != 1 dependency and #588505 in dpkg
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Tue, 11 Nov 2014 19:24:21 +0300
+
+busybox (1:1.22.0-10) unstable; urgency=high
+
+ * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
+ * add Built-Using control field for -static, deriving it from
+ regular build (this will be glibc) (Closes: #768876)
+ * install only arch/indep deb as requested by binary-arch or binary-indep
+ target. This fixes a long-standing lintian error, when package build
+ always produces busybox-syslogd package which is arch:all and should not
+ be built on a buildd.
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Tue, 11 Nov 2014 17:07:34 +0300
+
busybox (1:1.22.0-9) unstable; urgency=medium
* cherry-pick find /BITS patch from upstream (Closes: #760637)
diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control
--- busybox-1.22.0/debian/control 2014-09-30 08:35:20.000000000 +0400
+++ busybox-1.22.0/debian/control 2014-11-14 12:52:17.000000000 +0300
@@ -5,7 +5,10 @@
Uploaders: Bastian Blank <waldi@debian.org>, Michael Tokarev <mjt@tls.msk.ru>
Build-Depends: debhelper (>= 9),
# needs for testsuite to run
- zip
+ zip,
+# glibc static-nss #754813, 2.19..2.19-11, -12 is ok. Depend on libc-dev-bin
+# as it is the package which is named the same on all architectures
+ libc-dev-bin (>> 2.19-12~) | libc-dev-bin (<< 2.19),
Standards-Version: 3.9.5
Vcs-Git: git://anonscm.debian.org/d-i/busybox.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=d-i/busybox.git
@@ -33,6 +36,7 @@
Package: busybox-static
Architecture: any
+Built-Using: ${built-using}
Depends: ${shlibs:Depends}, ${misc:Depends}
Conflicts: busybox
Replaces: busybox
diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch
--- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 1970-01-01 03:00:00.000000000 +0300
+++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 2014-11-10 15:06:53.000000000 +0300
@@ -0,0 +1,67 @@
+From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 30 Jun 2014 10:14:34 +0200
+Subject: lzop: add overflow check
+Bug-Debian: http://bugs.debian.org/768945
+
+See CVE-2014-4607
+http://www.openwall.com/lists/oss-security/2014/06/26/20
+
+function old new delta
+lzo1x_decompress_safe 1010 1031 +21
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/liblzo.h | 2 ++
+ archival/libarchive/lzo1x_d.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
+index 843997c..4596620 100644
+--- a/archival/libarchive/liblzo.h
++++ b/archival/libarchive/liblzo.h
+@@ -76,11 +76,13 @@
+ # define TEST_IP (ip < ip_end)
+ # define NEED_IP(x) \
+ if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun
++# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun
+
+ # undef TEST_OP /* don't need both of the tests here */
+ # define TEST_OP 1
+ # define NEED_OP(x) \
+ if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun
++# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun
+
+ #define HAVE_ANY_OP 1
+
+diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
+index 9bc1270..40b167e 100644
+--- a/archival/libarchive/lzo1x_d.c
++++ b/archival/libarchive/lzo1x_d.c
+@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ ip++;
+ NEED_IP(1);
+ }
++ TEST_IV(t);
+ t += 15 + *ip++;
+ }
+ /* copy literals */
+@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ ip++;
+ NEED_IP(1);
+ }
++ TEST_IV(t);
+ t += 31 + *ip++;
+ }
+ #if defined(COPY_DICT)
+@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ ip++;
+ NEED_IP(1);
+ }
++ TEST_IV(t);
+ t += 7 + *ip++;
+ }
+ #if defined(COPY_DICT)
+--
+1.7.10.4
+
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series 2014-09-09 10:50:49.000000000 +0400
+++ busybox-1.22.0/debian/patches/series 2014-11-10 15:06:53.000000000 +0300
@@ -6,6 +6,7 @@
libarchive-open_zipped-does-not-need-to-check-extensions.diff
libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
zcat:-complain-if-input-is-not-compressed.diff
+lzop-add-overflow-check-CVE-2014-4607.patch
# submitted fixes
do-not-fail-on-missing-SIGPWR.patch
diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules
--- busybox-1.22.0/debian/rules 2014-09-30 08:49:10.000000000 +0400
+++ busybox-1.22.0/debian/rules 2014-11-13 00:22:41.000000000 +0300
@@ -41,11 +41,24 @@
EXTRA_LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
EXTRA_CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
+${b}/test754813.stamp:
+ mkdir -p ${b}
+ @echo "Checking if libc can produce working static binaries"
+ echo 'int main(void) { return getpwnam("root") ? 0 : 1; }' > ${b}/test754813.c
+ ${CC} -static -o ${b}/test754813 ${b}/test754813.c
+ @${b}/test754813 || { \
+ echo "E: your libc does not produce working statically linked binaries" >&2 ; \
+ echo "E: glibc-2.19 is known to have this bug: http://bugs.debian.org/754813" >&2 ; \
+ echo "E: and https://sourceware.org/bugzilla/show_bug.cgi?id=17250" >&2 ; \
+ echo "E: please update your libc" >&2 ; \
+ exit 1 ; }
+ touch $@
+
build: build-arch build-indep
build-indep:
${b}/%/.stamp-setup: DIR = ${b}/$*
-${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS}
+${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS} ${b}/test754813.stamp
dh_testdir
rm -rf ${DIR}
mkdir -p ${DIR}
@@ -126,15 +139,22 @@
rm -rf ${b}
dh_clean
-binary-arch: ${b}/stamp-build
+# define $a variable to be one of -i (indep), -a (arch) or nothing (both)
+a :=
+binary-indep: a := -i
+binary-indep: install
+binary-arch: a := -a
+binary-arch: install
+binary: install
+
+install: ${b}/stamp-build
dh_testroot
dh_testdir
dh_prep
- dh_installdirs
- dh_installdocs
- dh_installchangelogs
- dh_install
+ dh_installdocs $a
+ dh_installchangelogs $a
+ dh_install $a
# busybox
dh_install -pbusybox ${b}/deb/busybox /bin
@@ -165,21 +185,30 @@
# common actions
- dh_strip
- dh_link
- dh_compress
- dh_fixperms
- dh_installdeb
- dh_shlibdeps
- dh_gencontrol
- dh_md5sums
- dh_builddeb
+ dh_strip $a
+ dh_link $a
+ dh_compress $a
+ dh_fixperms $a
+ dh_installdeb $a
+ dh_shlibdeps $a
+
+# after shlibdeps finished, grab ${shlibs:Depends} from busybox package
+# and transform it into Built-Using field (also dpkg-query bug #588505)
+ if [ -f debian/busybox.substvars ]; then \
+ pkgs=$$(sed -n -e's/([^)]*)//g' -e's/,//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \
+ srcs=; for p in $$pkgs; do \
+ srcs="$$srcs $$(dpkg-query -f '$${source:Package} (= $${source:Version}),' -W $$p)"; \
+ done ; \
+ echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \
+ fi
-binary: binary-indep binary-arch
+ dh_gencontrol $a
+ dh_md5sums $a
+ dh_builddeb $a
.PHONY: binary binary-arch binary-indep \
build build-arch build-indep \
- clean setup
+ clean setup install
.PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \
${b}/stamp-%
Reply to: