unblock: busybox/1:1.22.0-14

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-boot@lists.debian.org
Subject: unblock: busybox/1:1.22.0-14
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 27 Nov 2014 18:45:37 +0300
Message-id: <[🔎] 54774721.2000003@msgid.tls.msk.ru>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package busybox.  Last upload has one security bugfix
(CVE-2014-4607, #768945), the fix is from upstream stable branch,
fixing an integer overflow in lzo decompressor; it adds a Built-Using
control field for busybox-static variant (#768926), and also arranges
build system to only produce binary or indep .debs (or both), depending
on the d/rules target (binary-all vs binary-indep vs binary) -- this
is a long-standing lintian bug which I overlooked previously.

The busybox-static fix turned out to be a fun case, because I needed
a way to build-conflict on a non-broken libc (because the original
prob is in libc due to #754813), and that turned out to be a not-so-
trivial task, which resulted in several iterations.  Meanwhile I
discovered that current glibc is not able to produce working stati-
cally linked executables on hurd which uses nss functions --
statically linked executable on hurd just segfaults.  So now,
after a fix for #768926, busybox package does not build on hurd,
while previously it silently produced failing busybox-static.
Hurd people are working on the fix.

(The Built-Using field generation is a bit fun here: I asked on IRC
how people identify which libc is in use, and got various somewhat-
incpmplete replies (the prob is that on different arches, libc package
is named differently).  So I invented my own way for busybox, because
this package allows me to do that -- I took the contents of $shlibs:Depends
variable for the dynamically-linked version, and transformed it into
a list of sources required for Built-Using using dpkg-query.)

There's no code changes except the lzo decompression bugfix, only
packaging changes.

Since busybox is used in d-i too, I kindly request for a
udeb-unblock too.

Previously I submitted an unblock request for busybox 1.22.0-10,
as #769129, but that turned out to be a bit preliminary because
of the fun with libc versioned build dependency iterations.

Thank you!

/mjt

unblock busybox/1:1.22.0-14

diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog	2014-09-30 08:50:20.000000000 +0400
+++ busybox-1.22.0/debian/changelog	2014-11-14 12:53:24.000000000 +0300
@@ -1,3 +1,46 @@
+busybox (1:1.22.0-14) medium; urgency=low
+
+  * one more attempt to fix the glibc build-depend for #769190, now
+    using versioned build-dependency on libc-dev-bin which is named
+    this way on all architectures (unlike libc6|libc6.1|libc0.1|libc0.3)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Fri, 14 Nov 2014 12:52:18 +0300
+
+busybox (1:1.22.0-13) unstable; urgency=medium
+
+  * really fix #769190 the hard way, by build-conflicting with all
+    arch-specific names of libc with version <2.19-12 (Closes: #769190)
+  * check if glibc can produce working statically linked binaries
+    by performing a getpwnam("root") call before building (#754813)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 12 Nov 2014 23:59:30 +0300
+
+busybox (1:1.22.0-12) unstable; urgency=medium
+
+  * fix the previous changelog entry (wrong bug# was "fixed" and typos)
+  * ensure we build against non-broken glibc (>=2.19-12) (Closes: #769190)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 12 Nov 2014 12:37:11 +0300
+
+busybox (1:1.22.0-11) unstable; urgency=medium
+
+  * fix the built-using generation in the previous upload -- did not
+    work correctly for != 1 dependency and #588505 in dpkg
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 11 Nov 2014 19:24:21 +0300
+
+busybox (1:1.22.0-10) unstable; urgency=high
+
+  * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
+  * add Built-Using control field for -static, deriving it from
+    regular build (this will be glibc) (Closes: #768876)
+  * install only arch/indep deb as requested by binary-arch or binary-indep
+    target.  This fixes a long-standing lintian error, when package build
+    always produces busybox-syslogd package which is arch:all and should not
+    be built on a buildd.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 11 Nov 2014 17:07:34 +0300
+
 busybox (1:1.22.0-9) unstable; urgency=medium

   * cherry-pick find /BITS patch from upstream (Closes: #760637)
diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control
--- busybox-1.22.0/debian/control	2014-09-30 08:35:20.000000000 +0400
+++ busybox-1.22.0/debian/control	2014-11-14 12:52:17.000000000 +0300
@@ -5,7 +5,10 @@
 Uploaders: Bastian Blank <waldi@debian.org>, Michael Tokarev <mjt@tls.msk.ru>
 Build-Depends: debhelper (>= 9),
 # needs for testsuite to run
-  zip
+  zip,
+# glibc static-nss #754813, 2.19..2.19-11, -12 is ok. Depend on libc-dev-bin
+# as it is the package which is named the same on all architectures
+ libc-dev-bin (>> 2.19-12~) | libc-dev-bin (<< 2.19),
 Standards-Version: 3.9.5
 Vcs-Git: git://anonscm.debian.org/d-i/busybox.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=d-i/busybox.git
@@ -33,6 +36,7 @@

 Package: busybox-static
 Architecture: any
+Built-Using: ${built-using}
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: busybox
 Replaces: busybox
diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch
--- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	1970-01-01 03:00:00.000000000 +0300
+++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	2014-11-10 15:06:53.000000000 +0300
@@ -0,0 +1,67 @@
+From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 30 Jun 2014 10:14:34 +0200
+Subject: lzop: add overflow check
+Bug-Debian: http://bugs.debian.org/768945
+
+See CVE-2014-4607
+http://www.openwall.com/lists/oss-security/2014/06/26/20
+
+function                                             old     new   delta
+lzo1x_decompress_safe                               1010    1031     +21
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/liblzo.h  |    2 ++
+ archival/libarchive/lzo1x_d.c |    3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
+index 843997c..4596620 100644
+--- a/archival/libarchive/liblzo.h
++++ b/archival/libarchive/liblzo.h
+@@ -76,11 +76,13 @@
+ #    define TEST_IP             (ip < ip_end)
+ #    define NEED_IP(x) \
+             if ((unsigned)(ip_end - ip) < (unsigned)(x))  goto input_overrun
++#    define TEST_IV(x)          if ((x) > (unsigned)0 - (511)) goto input_overrun
+
+ #    undef TEST_OP              /* don't need both of the tests here */
+ #    define TEST_OP             1
+ #    define NEED_OP(x) \
+             if ((unsigned)(op_end - op) < (unsigned)(x))  goto output_overrun
++#    define TEST_OV(x)          if ((x) > (unsigned)0 - (511)) goto output_overrun
+
+ #define HAVE_ANY_OP 1
+
+diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
+index 9bc1270..40b167e 100644
+--- a/archival/libarchive/lzo1x_d.c
++++ b/archival/libarchive/lzo1x_d.c
+@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 				ip++;
+ 				NEED_IP(1);
+ 			}
++			TEST_IV(t);
+ 			t += 15 + *ip++;
+ 		}
+ 		/* copy literals */
+@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 31 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 7 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+--
+1.7.10.4
+
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series	2014-09-09 10:50:49.000000000 +0400
+++ busybox-1.22.0/debian/patches/series	2014-11-10 15:06:53.000000000 +0300
@@ -6,6 +6,7 @@
 libarchive-open_zipped-does-not-need-to-check-extensions.diff
 libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
 zcat:-complain-if-input-is-not-compressed.diff
+lzop-add-overflow-check-CVE-2014-4607.patch

 # submitted fixes
 do-not-fail-on-missing-SIGPWR.patch
diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules
--- busybox-1.22.0/debian/rules	2014-09-30 08:49:10.000000000 +0400
+++ busybox-1.22.0/debian/rules	2014-11-13 00:22:41.000000000 +0300
@@ -41,11 +41,24 @@
 EXTRA_LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
 EXTRA_CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)

+${b}/test754813.stamp:
+	mkdir -p ${b}
+	@echo "Checking if libc can produce working static binaries"
+	echo 'int main(void) { return getpwnam("root") ? 0 : 1; }' > ${b}/test754813.c
+	${CC} -static -o ${b}/test754813 ${b}/test754813.c
+	@${b}/test754813 || { \
+	  echo "E: your libc does not produce working statically linked binaries" >&2 ; \
+	  echo "E: glibc-2.19 is known to have this bug: http://bugs.debian.org/754813"; >&2 ; \
+	  echo "E: and https://sourceware.org/bugzilla/show_bug.cgi?id=17250"; >&2 ; \
+	  echo "E: please update your libc" >&2 ; \
+	  exit 1 ; }
+	touch $@
+
 build: build-arch build-indep
 build-indep:

 ${b}/%/.stamp-setup: DIR = ${b}/$*
-${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS}
+${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS} ${b}/test754813.stamp
 	dh_testdir
 	rm -rf ${DIR}
 	mkdir -p ${DIR}
@@ -126,15 +139,22 @@
 	rm -rf ${b}
 	dh_clean

-binary-arch: ${b}/stamp-build
+# define $a variable to be one of -i (indep), -a (arch) or nothing (both)
+a :=
+binary-indep: a := -i
+binary-indep: install
+binary-arch: a := -a
+binary-arch: install
+binary: install
+
+install: ${b}/stamp-build
 	dh_testroot
 	dh_testdir
 	dh_prep

-	dh_installdirs
-	dh_installdocs
-	dh_installchangelogs
-	dh_install
+	dh_installdocs $a
+	dh_installchangelogs $a
+	dh_install $a

 # busybox
 	dh_install -pbusybox ${b}/deb/busybox /bin
@@ -165,21 +185,30 @@

 # common actions

-	dh_strip
-	dh_link
-	dh_compress
-	dh_fixperms
-	dh_installdeb
-	dh_shlibdeps
-	dh_gencontrol
-	dh_md5sums
-	dh_builddeb
+	dh_strip $a
+	dh_link $a
+	dh_compress $a
+	dh_fixperms $a
+	dh_installdeb $a
+	dh_shlibdeps $a
+
+# after shlibdeps finished, grab ${shlibs:Depends} from busybox package
+# and transform it into Built-Using field (also dpkg-query bug #588505)
+	if [ -f debian/busybox.substvars ]; then \
+	  pkgs=$$(sed -n -e's/([^)]*)//g' -e's/,//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \
+	  srcs=; for p in $$pkgs; do \
+	    srcs="$$srcs $$(dpkg-query -f '$${source:Package} (= $${source:Version}),' -W $$p)"; \
+	  done ; \
+	  echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \
+	fi

-binary: binary-indep binary-arch
+	dh_gencontrol $a
+	dh_md5sums $a
+	dh_builddeb $a

 .PHONY: binary binary-arch binary-indep \
 	build build-arch build-indep \
-	clean setup
+	clean setup install

 .PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \
 	${b}/stamp-%
Reply to:
Follow-Ups:
- Re: Bug#771208: unblock: busybox/1:1.22.0-14
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#768876: unblock: busybox/1:1.22.0-14
  - From: Thorsten Glaser <t.glaser@tarent.de>
Prev by Date: Bug#770078: ifupdown: interfaces(5) falsely claims that interfaces.d is included by default on new installs
Next by Date: Bug#770078: ifupdown: interfaces(5) falsely claims that interfaces.d is included by default on new installs
Previous by thread: Processed: severity of 771190 is wishlist
Next by thread: Re: Bug#771208: unblock: busybox/1:1.22.0-14
Index(es):
- Date
- Thread