Bug#137931: dpkg: dpkg-deb includes static zlib code
Package: dpkg
Version: 1.9.19
Severity: grave
/usr/bin/dpkg-deb includes statically-linked zlib code. Not only
does this waste space, but it could be a security issue given the
recent zlib vulnerability that was found.
$ ldd /usr/bin/dpkg-deb
libc.so.6 => /lib/libc.so.6 (0x40019000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
I did an strace of dpkg-deb --extract and it does not call gzip nor does
it dynamically load libz. It does, however, read gzip data and pipe it
into "tar xpf -" by doing its own decompression. Some libz-symbols are
in the binary too.
I then built dpkg-deb from source on my system. Here's the relevant
bit of the build:
------------------------------------------------------------------------
dpkg-buildpackage: source package is dpkg
dpkg-buildpackage: source version is 1.9.19
dpkg-buildpackage: source maintainer is Adam Heath <doogie@debian.org>
dpkg-buildpackage: host architecture is i386
debian/rules clean
test -f include/dpkg.h.in
rm -f debian/files debian/substvars
rm -f debian/dpkg.substvars
rm -fr /export/home/quinlan/delme/dpkg-1.9.19/build /export/home/quinlan/delme/d
pkg-1.9.19/build-static /export/home/quinlan/delme/dpkg-1.9.19/debian/tmp /expor
t/home/quinlan/delme/dpkg-1.9.19/debian/tmp-dpkg /export/home/quinlan/delme/dpkg
-1.9.19/debian/tmp-dpkg-dev /export/home/quinlan/delme/dpkg-1.9.19/debian/tmp-dp
kg-doc
rm -f po/{cat-id-tbl.c,stamp-cat-id,*.gmo}
rm -f stamp-build stamp-build-static stamp-binary
dpkg-source -b dpkg-1.9.19
dpkg-source: building dpkg in dpkg_1.9.19.tar.gz
dpkg-source: building dpkg in dpkg_1.9.19.dsc
debian/rules build
test -f include/dpkg.h.in
install -d /export/home/quinlan/delme/dpkg-1.9.19/build
cd /export/home/quinlan/delme/dpkg-1.9.19/build && LDFLAGS= /export/home/quinlan
/delme/dpkg-1.9.19/configure \
--prefix=/usr \
--datadir=/usr/share \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--sysconfdir=/etc \
--sharedstatedir=/var/lib \
--localstatedir=/var/lib \
--with-admindir=/var/lib/dpkg \
--with-zlib=static \
HERE ^^^^^^^^^^^^^^^^^^^^
-- System Information
Debian Release: 3.0
Kernel Version: Linux proton 2.2.20 #1 Wed Jan 9 15:44:45 PST 2002 i486 unknown
Versions of the packages dpkg depends on:
ii libc6 2.2.5-3 GNU C Library: Shared libraries and Timezone
ii libncurses5 5.2.20020112a- Shared libraries for terminal handling
ii libstdc++2.10- 2.95.4-1 The GNU stdc++ library
Reply to: