Bug#137931: dpkg: dpkg-deb includes static zlib code

To: submit@bugs.debian.org
Subject: Bug#137931: dpkg: dpkg-deb includes static zlib code
From: Daniel Quinlan <quinlan@pathname.com>
Date: Mon, 11 Mar 2002 16:20:51 -0800
Message-id: <[🔎] E16ka27-0007rH-00@proton.pathname.com>
Reply-to: Daniel Quinlan <quinlan@pathname.com>, 137931@bugs.debian.org

Package: dpkg
Version: 1.9.19
Severity: grave

/usr/bin/dpkg-deb includes statically-linked zlib code.  Not only
does this waste space, but it could be a security issue given the
recent zlib vulnerability that was found.

$ ldd /usr/bin/dpkg-deb
	libc.so.6 => /lib/libc.so.6 (0x40019000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

I did an strace of dpkg-deb --extract and it does not call gzip nor does
it dynamically load libz.  It does, however, read gzip data and pipe it
into "tar xpf -" by doing its own decompression.  Some libz-symbols are
in the binary too.

I then built dpkg-deb from source on my system.  Here's the relevant
bit of the build:

------------------------------------------------------------------------

dpkg-buildpackage: source package is dpkg
dpkg-buildpackage: source version is 1.9.19
dpkg-buildpackage: source maintainer is Adam Heath <doogie@debian.org>
dpkg-buildpackage: host architecture is i386
 debian/rules clean
test -f include/dpkg.h.in
rm -f debian/files debian/substvars
rm -f debian/dpkg.substvars
rm -fr /export/home/quinlan/delme/dpkg-1.9.19/build /export/home/quinlan/delme/d
pkg-1.9.19/build-static /export/home/quinlan/delme/dpkg-1.9.19/debian/tmp /expor
t/home/quinlan/delme/dpkg-1.9.19/debian/tmp-dpkg /export/home/quinlan/delme/dpkg
-1.9.19/debian/tmp-dpkg-dev /export/home/quinlan/delme/dpkg-1.9.19/debian/tmp-dp
kg-doc
rm -f po/{cat-id-tbl.c,stamp-cat-id,*.gmo}
rm -f stamp-build stamp-build-static stamp-binary
 dpkg-source -b dpkg-1.9.19
dpkg-source: building dpkg in dpkg_1.9.19.tar.gz
dpkg-source: building dpkg in dpkg_1.9.19.dsc
 debian/rules build
test -f include/dpkg.h.in
install -d /export/home/quinlan/delme/dpkg-1.9.19/build
cd /export/home/quinlan/delme/dpkg-1.9.19/build && LDFLAGS= /export/home/quinlan
/delme/dpkg-1.9.19/configure \
        --prefix=/usr \
        --datadir=/usr/share \
        --mandir=/usr/share/man \
        --infodir=/usr/share/info \
        --sysconfdir=/etc \
        --sharedstatedir=/var/lib \
        --localstatedir=/var/lib \
        --with-admindir=/var/lib/dpkg \
        --with-zlib=static \

HERE    ^^^^^^^^^^^^^^^^^^^^

-- System Information
Debian Release: 3.0
Kernel Version: Linux proton 2.2.20 #1 Wed Jan 9 15:44:45 PST 2002 i486 unknown

Versions of the packages dpkg depends on:
ii  libc6          2.2.5-3        GNU C Library: Shared libraries and Timezone
ii  libncurses5    5.2.20020112a- Shared libraries for terminal handling
ii  libstdc++2.10- 2.95.4-1       The GNU stdc++ library

Reply to:

Follow-Ups:
- Bug#137931: marked as done (dpkg: dpkg-deb includes static zlib code)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#137765: dpkg: Assertion `fixbyrm->clientdata->istobe == itb_normal' failed
Next by Date: Bug#137765: Additional info
Previous by thread: Processed: correct mailing addresses on dpkg bug
Next by thread: Bug#137931: marked as done (dpkg: dpkg-deb includes static zlib code)
Index(es):
- Date
- Thread