Bug#769129: marked as done (unblock: busybox/1:1.22.0-10)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#769129: marked as done (unblock: busybox/1:1.22.0-10)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 12 Nov 2014 20:15:19 +0000
Message-id: <[🔎] handler.769129.D769129.141582314628333.ackdone@bugs.debian.org>
References: <20141112201221.GH21455@lupin.home.powdarrmonkey.net> <[🔎] 20141111160826.9558.77721.reportbug@gandalf.local>

Your message dated Wed, 12 Nov 2014 20:12:21 +0000
with message-id <20141112201221.GH21455@lupin.home.powdarrmonkey.net>
and subject line Re: Bug#769129: unblock: busybox/1:1.22.0-10
has caused the Debian Bug report #769129,
regarding unblock: busybox/1:1.22.0-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
769129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-boot@lists.debian.org
Subject: unblock: busybox/1:1.22.0-10
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Tue, 11 Nov 2014 19:08:26 +0400
Message-id: <[🔎] 20141111160826.9558.77721.reportbug@gandalf.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package busybox.  Last upload has one security bugfix
(CVE-2014-4607, #768945), the fix is from upstream stable branch,
fixing an integer overflow in lzo decompressor; it adds a Built-Using
control field for busybox-static variant (#768926), and also arranges
build system to only produce binary or indep .debs (or both), depending
on the d/rules target (binary-all vs binary-indep vs binary) -- this
is a long-standing lintian bug which I overlooked previously.

(The Built-Using field generation is a bit fun here: I asked on IRC
how people identify which libc is in use, and got various somewhat-
incpmplete replies (the prob is that on different arches, libc package
is named differently).  So I invented my own way for busybox, because
this package allows me to do that -- I took the contents of $shlibs:Depends
variable for the dynamically-linked version, and transformed it into
a list of sources required for Built-Using using dpkg-query.

There's no code changes except the lzo decompression bugfix, only
packaging changes.

Thank you!

/mjt

unblock busybox/1:1.22.0-10

diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog	2014-09-30 08:50:20.000000000 +0400
+++ busybox-1.22.0/debian/changelog	2014-11-11 17:07:46.000000000 +0300
@@ -1,3 +1,15 @@
+busybox (1:1.22.0-10) unstable; urgency=high
+
+  * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
+  * add Built-Using control field for -static, deriving it from
+    regular build (this will be glibc) (Closes: #768926)
+  * install only arch/indep deb as requested by binary-arch or binary-indep
+    target.  This fixes a long-standing lintian error, when package build
+    alway produces busybox-syslogd package which is arch:all and should not
+    be built on a buildd.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 11 Nov 2014 17:07:34 +0300
+
 busybox (1:1.22.0-9) unstable; urgency=medium
 
   * cherry-pick find /BITS patch from upstream (Closes: #760637)
diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control
--- busybox-1.22.0/debian/control	2014-09-30 08:35:20.000000000 +0400
+++ busybox-1.22.0/debian/control	2014-11-10 15:06:53.000000000 +0300
@@ -33,6 +33,7 @@
 
 Package: busybox-static
 Architecture: any
+Built-Using: ${built-using}
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: busybox
 Replaces: busybox
diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch
--- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	1970-01-01 03:00:00.000000000 +0300
+++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	2014-11-10 15:06:53.000000000 +0300
@@ -0,0 +1,67 @@
+From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 30 Jun 2014 10:14:34 +0200
+Subject: lzop: add overflow check
+Bug-Debian: http://bugs.debian.org/768945
+
+See CVE-2014-4607
+http://www.openwall.com/lists/oss-security/2014/06/26/20
+
+function                                             old     new   delta
+lzo1x_decompress_safe                               1010    1031     +21
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/liblzo.h  |    2 ++
+ archival/libarchive/lzo1x_d.c |    3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
+index 843997c..4596620 100644
+--- a/archival/libarchive/liblzo.h
++++ b/archival/libarchive/liblzo.h
+@@ -76,11 +76,13 @@
+ #    define TEST_IP             (ip < ip_end)
+ #    define NEED_IP(x) \
+             if ((unsigned)(ip_end - ip) < (unsigned)(x))  goto input_overrun
++#    define TEST_IV(x)          if ((x) > (unsigned)0 - (511)) goto input_overrun
+ 
+ #    undef TEST_OP              /* don't need both of the tests here */
+ #    define TEST_OP             1
+ #    define NEED_OP(x) \
+             if ((unsigned)(op_end - op) < (unsigned)(x))  goto output_overrun
++#    define TEST_OV(x)          if ((x) > (unsigned)0 - (511)) goto output_overrun
+ 
+ #define HAVE_ANY_OP 1
+ 
+diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
+index 9bc1270..40b167e 100644
+--- a/archival/libarchive/lzo1x_d.c
++++ b/archival/libarchive/lzo1x_d.c
+@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 				ip++;
+ 				NEED_IP(1);
+ 			}
++			TEST_IV(t);
+ 			t += 15 + *ip++;
+ 		}
+ 		/* copy literals */
+@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 31 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 7 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+-- 
+1.7.10.4
+
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series	2014-09-09 10:50:49.000000000 +0400
+++ busybox-1.22.0/debian/patches/series	2014-11-10 15:06:53.000000000 +0300
@@ -6,6 +6,7 @@
 libarchive-open_zipped-does-not-need-to-check-extensions.diff
 libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
 zcat:-complain-if-input-is-not-compressed.diff
+lzop-add-overflow-check-CVE-2014-4607.patch
 
 # submitted fixes
 do-not-fail-on-missing-SIGPWR.patch
diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules
--- busybox-1.22.0/debian/rules	2014-09-30 08:49:10.000000000 +0400
+++ busybox-1.22.0/debian/rules	2014-11-11 17:06:54.000000000 +0300
@@ -126,15 +126,22 @@
 	rm -rf ${b}
 	dh_clean
 
-binary-arch: ${b}/stamp-build
+# define $a variable to be one of -i (indep), -a (arch) or nothing (both)
+a :=
+binary-indep: a := -i
+binary-indep: install
+binary-arch: a := -a
+binary-arch: install
+binary: install
+
+install: ${b}/stamp-build
 	dh_testroot
 	dh_testdir
 	dh_prep
 
-	dh_installdirs
-	dh_installdocs
-	dh_installchangelogs
-	dh_install
+	dh_installdocs $a
+	dh_installchangelogs $a
+	dh_install $a
 
 # busybox
 	dh_install -pbusybox ${b}/deb/busybox /bin
@@ -165,21 +172,28 @@
 
 # common actions
 
-	dh_strip
-	dh_link
-	dh_compress
-	dh_fixperms
-	dh_installdeb
-	dh_shlibdeps
-	dh_gencontrol
-	dh_md5sums
-	dh_builddeb
-
-binary: binary-indep binary-arch
+	dh_strip $a
+	dh_link $a
+	dh_compress $a
+	dh_fixperms $a
+	dh_installdeb $a
+	dh_shlibdeps $a
+
+# after shlibdeps finished, grab ${shlibs:Depends} from busybox package
+# and transform it into Built-Using field.
+	if [ -f debian/busybox.substvars ]; then \
+	  pkgs=$$(sed -n -e's/([^)]*)//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \
+	  srcs="$$(dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $$pkgs)"; \
+	  echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \
+	fi
+
+	dh_gencontrol $a
+	dh_md5sums $a
+	dh_builddeb $a
 
 .PHONY: binary binary-arch binary-indep \
 	build build-arch build-indep \
-	clean setup
+	clean setup install
 
 .PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \
 	${b}/stamp-%

--- End Message ---

--- Begin Message ---

To: Michael Tokarev <mjt@tls.msk.ru>, 769129-done@bugs.debian.org
Subject: Re: Bug#769129: unblock: busybox/1:1.22.0-10
From: Jonathan Wiltshire <jmw@debian.org>
Date: Wed, 12 Nov 2014 20:12:21 +0000
Message-id: <20141112201221.GH21455@lupin.home.powdarrmonkey.net>
In-reply-to: <[🔎] 5462412B.7060805@msgid.tls.msk.ru>
References: <[🔎] 20141111160826.9558.77721.reportbug@gandalf.local> <[🔎] 5462412B.7060805@msgid.tls.msk.ru>

On Tue, Nov 11, 2014 at 08:02:35PM +0300, Michael Tokarev wrote:
> 11.11.2014 18:08, Michael Tokarev wrote:
> > Please unblock package busybox.  Last upload has one security bugfix
> > (CVE-2014-4607, #768945), the fix is from upstream stable branch,
> > fixing an integer overflow in lzo decompressor; it adds a Built-Using
> > control field for busybox-static variant (#768926), and also arranges
> > build system to only produce binary or indep .debs (or both), depending
> > on the d/rules target (binary-all vs binary-indep vs binary) -- this
> > is a long-standing lintian bug which I overlooked previously.
> > 
> > (The Built-Using field generation is a bit fun here: I asked on IRC
> > how people identify which libc is in use, and got various somewhat-
> > incpmplete replies (the prob is that on different arches, libc package
> > is named differently).  So I invented my own way for busybox, because
> > this package allows me to do that -- I took the contents of $shlibs:Depends
> > variable for the dynamically-linked version, and transformed it into
> > a list of sources required for Built-Using using dpkg-query.
> 
> So this was a bit preliminary (following the "notify the release team
> early" rule too aggressively) -- this very Built-Using generation was
> broken due to an error on my part (trivial) and due to bug in dpkg,
> #588505.  I just uploaded new release fixing this, 1:1.22.0-11, will
> see how it goes first, and will ping this bug if everything is okay.
> (Yes, I verified the fixed release builds on kfreebsd-amd64 where
> the problematic release failed).

Closing for now, feel free to reopen when you're ready.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to:

Follow-Ups:
- Bug#769129: marked as done (unblock: busybox/1:1.22.0-10)
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#769129: unblock: busybox/1:1.22.0-10
  - From: Michael Tokarev <mjt@tls.msk.ru>

Prev by Date: Bug#769323: unblock: libaudio-mpd-perl/2.000-2
Next by Date: Bug#769075: marked as done (unblock: ettercap/1:0.8.1-2)
Previous by thread: Bug#769129: unblock: busybox/1:1.22.0-10
Next by thread: Bug#769129: marked as done (unblock: busybox/1:1.22.0-10)
Index(es):
- Date
- Thread