[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#137931: marked as done (dpkg: dpkg-deb includes static zlib code)

Your message dated Tue, 19 Mar 2002 03:10:26 -0500
with message-id <E16nEhO-0004Qe-00@auric.debian.org>
and subject line Bug#137931: fixed in dpkg 1.9.20
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 12 Mar 2002 00:21:06 +0000
>From quinlan@pathname.com Mon Mar 11 18:21:06 2002
Return-path: <quinlan@pathname.com>
Received: from adsl-216-103-211-240.dsl.snfc21.pacbell.net (proton.pathname.com) [] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16ka2M-0005aE-00; Mon, 11 Mar 2002 18:21:06 -0600
Received: from quinlan by proton.pathname.com with local (Exim 3.34 #1 (Debian))
	id 16ka27-0007rH-00; Mon, 11 Mar 2002 16:20:51 -0800
From: Daniel Quinlan <quinlan@pathname.com>
Subject: dpkg: dpkg-deb includes static zlib code
To: submit@bugs.debian.org
X-Mailer: bug
Message-Id: <E16ka27-0007rH-00@proton.pathname.com>
Date: Mon, 11 Mar 2002 16:20:51 -0800
Delivered-To: submit@bugs.debian.org

Package: dpkg
Version: 1.9.19
Severity: grave

/usr/bin/dpkg-deb includes statically-linked zlib code.  Not only
does this waste space, but it could be a security issue given the
recent zlib vulnerability that was found.

$ ldd /usr/bin/dpkg-deb
	libc.so.6 => /lib/libc.so.6 (0x40019000)
	/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

I did an strace of dpkg-deb --extract and it does not call gzip nor does
it dynamically load libz.  It does, however, read gzip data and pipe it
into "tar xpf -" by doing its own decompression.  Some libz-symbols are
in the binary too.

I then built dpkg-deb from source on my system.  Here's the relevant
bit of the build:


dpkg-buildpackage: source package is dpkg
dpkg-buildpackage: source version is 1.9.19
dpkg-buildpackage: source maintainer is Adam Heath <doogie@debian.org>
dpkg-buildpackage: host architecture is i386
 debian/rules clean
test -f include/dpkg.h.in
rm -f debian/files debian/substvars
rm -f debian/dpkg.substvars
rm -fr /export/home/quinlan/delme/dpkg-1.9.19/build /export/home/quinlan/delme/d
pkg-1.9.19/build-static /export/home/quinlan/delme/dpkg-1.9.19/debian/tmp /expor
t/home/quinlan/delme/dpkg-1.9.19/debian/tmp-dpkg /export/home/quinlan/delme/dpkg
-1.9.19/debian/tmp-dpkg-dev /export/home/quinlan/delme/dpkg-1.9.19/debian/tmp-dp
rm -f po/{cat-id-tbl.c,stamp-cat-id,*.gmo}
rm -f stamp-build stamp-build-static stamp-binary
 dpkg-source -b dpkg-1.9.19
dpkg-source: building dpkg in dpkg_1.9.19.tar.gz
dpkg-source: building dpkg in dpkg_1.9.19.dsc
 debian/rules build
test -f include/dpkg.h.in
install -d /export/home/quinlan/delme/dpkg-1.9.19/build
cd /export/home/quinlan/delme/dpkg-1.9.19/build && LDFLAGS= /export/home/quinlan
/delme/dpkg-1.9.19/configure \
        --prefix=/usr \
        --datadir=/usr/share \
        --mandir=/usr/share/man \
        --infodir=/usr/share/info \
        --sysconfdir=/etc \
        --sharedstatedir=/var/lib \
        --localstatedir=/var/lib \
        --with-admindir=/var/lib/dpkg \
        --with-zlib=static \

HERE    ^^^^^^^^^^^^^^^^^^^^

-- System Information
Debian Release: 3.0
Kernel Version: Linux proton 2.2.20 #1 Wed Jan 9 15:44:45 PST 2002 i486 unknown

Versions of the packages dpkg depends on:
ii  libc6          2.2.5-3        GNU C Library: Shared libraries and Timezone
ii  libncurses5    5.2.20020112a- Shared libraries for terminal handling
ii  libstdc++2.10- 2.95.4-1       The GNU stdc++ library

Received: (at 137931-close) by bugs.debian.org; 19 Mar 2002 08:32:22 +0000
>From rmurray@auric.debian.org Tue Mar 19 02:32:22 2002
Return-path: <rmurray@auric.debian.org>
Received: from auric.debian.org [] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 16nF2c-0003GQ-00; Tue, 19 Mar 2002 02:32:22 -0600
Received: from rmurray by auric.debian.org with local (Exim 3.12 1 (Debian))
	id 16nEhO-0004Qe-00; Tue, 19 Mar 2002 03:10:26 -0500
From: Adam Heath <doogie@debian.org>
To: 137931-close@bugs.debian.org
X-Lisa: $Revision: 1.4 $
Subject: Bug#137931: fixed in dpkg 1.9.20
Message-Id: <E16nEhO-0004Qe-00@auric.debian.org>
Sender: Ryan Murray <rmurray@auric.debian.org>
Date: Tue, 19 Mar 2002 03:10:26 -0500
Delivered-To: 137931-close@bugs.debian.org

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive:

  to pool/main/d/dpkg/dpkg-dev_1.9.20_all.deb
  to pool/main/d/dpkg/dpkg-doc_1.9.20_all.deb
  to pool/main/d/dpkg/dpkg_1.9.20.dsc
  to pool/main/d/dpkg/dpkg_1.9.20.tar.gz
  to pool/main/d/dpkg/dpkg_1.9.20_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 137931@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Adam Heath <doogie@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sun, 17 Mar 2002 02:52:44 -0600
Source: dpkg
Binary: dpkg-dev dpkg-doc dpkg
Architecture: source all i386
Version: 1.9.20
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Development <debian-dpkg@lists.debian.org>
Changed-By: Adam Heath <doogie@debian.org>
 dpkg       - Package maintenance system for Debian
 dpkg-dev   - Package building tools for Debian
 dpkg-doc   - Dpkg Internals Documentation
Closes: 136349 137765 137931
 dpkg (1.9.20) unstable; urgency=medium
   * Fix assertion when --auto-deconfigure is set.  Closes: #137765.
   * Fix segfault discovered by fixing the above.
   * Fix segfault when getenv("PATH") returns null.  Closes: #136349
   * Recompiled against updated zlib, to fix possible security issue.  Also
     bumped build-depends to match.  Closes: #137931(grave)
 fbc7d754fc49c9e95ca186f378bcc752 737 base required dpkg_1.9.20.dsc
 e87d4483ac21a7a56daacecd276efc29 1374845 base required dpkg_1.9.20.tar.gz
 8268c8ed54715deea46e0c7b1e1b98a0 1074604 base required dpkg_1.9.20_i386.deb
 b4c0e71fcb8f6c4facc2374c04e60a0f 1063969 byhand - dpkg-1.9.20_i386.nondebbin.tar.gz
 2e178318596e6c2f47d5d99ad0a286b1 111460 devel important dpkg-dev_1.9.20_all.deb
 5adc5baff1fa2ac2ef60f531979eb4a5 11086 doc extra dpkg-doc_1.9.20_all.deb
 e87d4483ac21a7a56daacecd276efc29 1374845 byhand - dpkg-1.9.20.tar.gz

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Reply to: