Your message dated Wed, 12 Nov 2014 20:12:21 +0000 with message-id <20141112201221.GH21455@lupin.home.powdarrmonkey.net> and subject line Re: Bug#769129: unblock: busybox/1:1.22.0-10 has caused the Debian Bug report #769129, regarding unblock: busybox/1:1.22.0-10 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 769129: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769129 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: debian-boot@lists.debian.org
- Subject: unblock: busybox/1:1.22.0-10
- From: Michael Tokarev <mjt@tls.msk.ru>
- Date: Tue, 11 Nov 2014 19:08:26 +0400
- Message-id: <[🔎] 20141111160826.9558.77721.reportbug@gandalf.local>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package busybox. Last upload has one security bugfix (CVE-2014-4607, #768945), the fix is from upstream stable branch, fixing an integer overflow in lzo decompressor; it adds a Built-Using control field for busybox-static variant (#768926), and also arranges build system to only produce binary or indep .debs (or both), depending on the d/rules target (binary-all vs binary-indep vs binary) -- this is a long-standing lintian bug which I overlooked previously. (The Built-Using field generation is a bit fun here: I asked on IRC how people identify which libc is in use, and got various somewhat- incpmplete replies (the prob is that on different arches, libc package is named differently). So I invented my own way for busybox, because this package allows me to do that -- I took the contents of $shlibs:Depends variable for the dynamically-linked version, and transformed it into a list of sources required for Built-Using using dpkg-query. There's no code changes except the lzo decompression bugfix, only packaging changes. Thank you! /mjt unblock busybox/1:1.22.0-10 diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog --- busybox-1.22.0/debian/changelog 2014-09-30 08:50:20.000000000 +0400 +++ busybox-1.22.0/debian/changelog 2014-11-11 17:07:46.000000000 +0300 @@ -1,3 +1,15 @@ +busybox (1:1.22.0-10) unstable; urgency=high + + * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945) + * add Built-Using control field for -static, deriving it from + regular build (this will be glibc) (Closes: #768926) + * install only arch/indep deb as requested by binary-arch or binary-indep + target. This fixes a long-standing lintian error, when package build + alway produces busybox-syslogd package which is arch:all and should not + be built on a buildd. + + -- Michael Tokarev <mjt@tls.msk.ru> Tue, 11 Nov 2014 17:07:34 +0300 + busybox (1:1.22.0-9) unstable; urgency=medium * cherry-pick find /BITS patch from upstream (Closes: #760637) diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control --- busybox-1.22.0/debian/control 2014-09-30 08:35:20.000000000 +0400 +++ busybox-1.22.0/debian/control 2014-11-10 15:06:53.000000000 +0300 @@ -33,6 +33,7 @@ Package: busybox-static Architecture: any +Built-Using: ${built-using} Depends: ${shlibs:Depends}, ${misc:Depends} Conflicts: busybox Replaces: busybox diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch --- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 1970-01-01 03:00:00.000000000 +0300 +++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 2014-11-10 15:06:53.000000000 +0300 @@ -0,0 +1,67 @@ +From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Mon, 30 Jun 2014 10:14:34 +0200 +Subject: lzop: add overflow check +Bug-Debian: http://bugs.debian.org/768945 + +See CVE-2014-4607 +http://www.openwall.com/lists/oss-security/2014/06/26/20 + +function old new delta +lzo1x_decompress_safe 1010 1031 +21 + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + archival/libarchive/liblzo.h | 2 ++ + archival/libarchive/lzo1x_d.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h +index 843997c..4596620 100644 +--- a/archival/libarchive/liblzo.h ++++ b/archival/libarchive/liblzo.h +@@ -76,11 +76,13 @@ + # define TEST_IP (ip < ip_end) + # define NEED_IP(x) \ + if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun + + # undef TEST_OP /* don't need both of the tests here */ + # define TEST_OP 1 + # define NEED_OP(x) \ + if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun + + #define HAVE_ANY_OP 1 + +diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c +index 9bc1270..40b167e 100644 +--- a/archival/libarchive/lzo1x_d.c ++++ b/archival/libarchive/lzo1x_d.c +@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, + ip++; + NEED_IP(1); + } ++ TEST_IV(t); + t += 15 + *ip++; + } + /* copy literals */ +@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, + ip++; + NEED_IP(1); + } ++ TEST_IV(t); + t += 31 + *ip++; + } + #if defined(COPY_DICT) +@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, + ip++; + NEED_IP(1); + } ++ TEST_IV(t); + t += 7 + *ip++; + } + #if defined(COPY_DICT) +-- +1.7.10.4 + diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series --- busybox-1.22.0/debian/patches/series 2014-09-09 10:50:49.000000000 +0400 +++ busybox-1.22.0/debian/patches/series 2014-11-10 15:06:53.000000000 +0300 @@ -6,6 +6,7 @@ libarchive-open_zipped-does-not-need-to-check-extensions.diff libbb-open_zipped-should-not-fail-on-non-compressed-files.diff zcat:-complain-if-input-is-not-compressed.diff +lzop-add-overflow-check-CVE-2014-4607.patch # submitted fixes do-not-fail-on-missing-SIGPWR.patch diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules --- busybox-1.22.0/debian/rules 2014-09-30 08:49:10.000000000 +0400 +++ busybox-1.22.0/debian/rules 2014-11-11 17:06:54.000000000 +0300 @@ -126,15 +126,22 @@ rm -rf ${b} dh_clean -binary-arch: ${b}/stamp-build +# define $a variable to be one of -i (indep), -a (arch) or nothing (both) +a := +binary-indep: a := -i +binary-indep: install +binary-arch: a := -a +binary-arch: install +binary: install + +install: ${b}/stamp-build dh_testroot dh_testdir dh_prep - dh_installdirs - dh_installdocs - dh_installchangelogs - dh_install + dh_installdocs $a + dh_installchangelogs $a + dh_install $a # busybox dh_install -pbusybox ${b}/deb/busybox /bin @@ -165,21 +172,28 @@ # common actions - dh_strip - dh_link - dh_compress - dh_fixperms - dh_installdeb - dh_shlibdeps - dh_gencontrol - dh_md5sums - dh_builddeb - -binary: binary-indep binary-arch + dh_strip $a + dh_link $a + dh_compress $a + dh_fixperms $a + dh_installdeb $a + dh_shlibdeps $a + +# after shlibdeps finished, grab ${shlibs:Depends} from busybox package +# and transform it into Built-Using field. + if [ -f debian/busybox.substvars ]; then \ + pkgs=$$(sed -n -e's/([^)]*)//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \ + srcs="$$(dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $$pkgs)"; \ + echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \ + fi + + dh_gencontrol $a + dh_md5sums $a + dh_builddeb $a .PHONY: binary binary-arch binary-indep \ build build-arch build-indep \ - clean setup + clean setup install .PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \ ${b}/stamp-%
--- End Message ---
--- Begin Message ---
- To: Michael Tokarev <mjt@tls.msk.ru>, 769129-done@bugs.debian.org
- Subject: Re: Bug#769129: unblock: busybox/1:1.22.0-10
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Wed, 12 Nov 2014 20:12:21 +0000
- Message-id: <20141112201221.GH21455@lupin.home.powdarrmonkey.net>
- In-reply-to: <[🔎] 5462412B.7060805@msgid.tls.msk.ru>
- References: <[🔎] 20141111160826.9558.77721.reportbug@gandalf.local> <[🔎] 5462412B.7060805@msgid.tls.msk.ru>
On Tue, Nov 11, 2014 at 08:02:35PM +0300, Michael Tokarev wrote: > 11.11.2014 18:08, Michael Tokarev wrote: > > Please unblock package busybox. Last upload has one security bugfix > > (CVE-2014-4607, #768945), the fix is from upstream stable branch, > > fixing an integer overflow in lzo decompressor; it adds a Built-Using > > control field for busybox-static variant (#768926), and also arranges > > build system to only produce binary or indep .debs (or both), depending > > on the d/rules target (binary-all vs binary-indep vs binary) -- this > > is a long-standing lintian bug which I overlooked previously. > > > > (The Built-Using field generation is a bit fun here: I asked on IRC > > how people identify which libc is in use, and got various somewhat- > > incpmplete replies (the prob is that on different arches, libc package > > is named differently). So I invented my own way for busybox, because > > this package allows me to do that -- I took the contents of $shlibs:Depends > > variable for the dynamically-linked version, and transformed it into > > a list of sources required for Built-Using using dpkg-query. > > So this was a bit preliminary (following the "notify the release team > early" rule too aggressively) -- this very Built-Using generation was > broken due to an error on my part (trivial) and due to bug in dpkg, > #588505. I just uploaded new release fixing this, 1:1.22.0-11, will > see how it goes first, and will ping this bug if everything is okay. > (Yes, I verified the fixed release builds on kfreebsd-amd64 where > the problematic release failed). Closing for now, feel free to reopen when you're ready. Thanks, -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51Attachment: signature.asc
Description: Digital signature
--- End Message ---