Bug#771208: marked as done (unblock: busybox/1:1.22.0-9+deb8u1)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#771208: marked as done (unblock: busybox/1:1.22.0-9+deb8u1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 27 Feb 2015 18:00:22 +0000
Message-id: <[🔎] handler.771208.D771208.142505995210240.ackdone@bugs.debian.org>
References: <20150227175905.GE6127@ugent.be> <54774721.2000003@msgid.tls.msk.ru>

Your message dated Fri, 27 Feb 2015 18:59:05 +0100
with message-id <20150227175905.GE6127@ugent.be>
and subject line Re: Bug#771208: unblock: busybox/1:1.22.0-14
has caused the Debian Bug report #771208,
regarding unblock: busybox/1:1.22.0-9+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771208: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771208
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-boot@lists.debian.org
Subject: unblock: busybox/1:1.22.0-14
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 27 Nov 2014 18:45:37 +0300
Message-id: <54774721.2000003@msgid.tls.msk.ru>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package busybox.  Last upload has one security bugfix
(CVE-2014-4607, #768945), the fix is from upstream stable branch,
fixing an integer overflow in lzo decompressor; it adds a Built-Using
control field for busybox-static variant (#768926), and also arranges
build system to only produce binary or indep .debs (or both), depending
on the d/rules target (binary-all vs binary-indep vs binary) -- this
is a long-standing lintian bug which I overlooked previously.

The busybox-static fix turned out to be a fun case, because I needed
a way to build-conflict on a non-broken libc (because the original
prob is in libc due to #754813), and that turned out to be a not-so-
trivial task, which resulted in several iterations.  Meanwhile I
discovered that current glibc is not able to produce working stati-
cally linked executables on hurd which uses nss functions --
statically linked executable on hurd just segfaults.  So now,
after a fix for #768926, busybox package does not build on hurd,
while previously it silently produced failing busybox-static.
Hurd people are working on the fix.

(The Built-Using field generation is a bit fun here: I asked on IRC
how people identify which libc is in use, and got various somewhat-
incpmplete replies (the prob is that on different arches, libc package
is named differently).  So I invented my own way for busybox, because
this package allows me to do that -- I took the contents of $shlibs:Depends
variable for the dynamically-linked version, and transformed it into
a list of sources required for Built-Using using dpkg-query.)

There's no code changes except the lzo decompression bugfix, only
packaging changes.

Since busybox is used in d-i too, I kindly request for a
udeb-unblock too.

Previously I submitted an unblock request for busybox 1.22.0-10,
as #769129, but that turned out to be a bit preliminary because
of the fun with libc versioned build dependency iterations.

Thank you!

/mjt

unblock busybox/1:1.22.0-14

diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog
--- busybox-1.22.0/debian/changelog	2014-09-30 08:50:20.000000000 +0400
+++ busybox-1.22.0/debian/changelog	2014-11-14 12:53:24.000000000 +0300
@@ -1,3 +1,46 @@
+busybox (1:1.22.0-14) medium; urgency=low
+
+  * one more attempt to fix the glibc build-depend for #769190, now
+    using versioned build-dependency on libc-dev-bin which is named
+    this way on all architectures (unlike libc6|libc6.1|libc0.1|libc0.3)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Fri, 14 Nov 2014 12:52:18 +0300
+
+busybox (1:1.22.0-13) unstable; urgency=medium
+
+  * really fix #769190 the hard way, by build-conflicting with all
+    arch-specific names of libc with version <2.19-12 (Closes: #769190)
+  * check if glibc can produce working statically linked binaries
+    by performing a getpwnam("root") call before building (#754813)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 12 Nov 2014 23:59:30 +0300
+
+busybox (1:1.22.0-12) unstable; urgency=medium
+
+  * fix the previous changelog entry (wrong bug# was "fixed" and typos)
+  * ensure we build against non-broken glibc (>=2.19-12) (Closes: #769190)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 12 Nov 2014 12:37:11 +0300
+
+busybox (1:1.22.0-11) unstable; urgency=medium
+
+  * fix the built-using generation in the previous upload -- did not
+    work correctly for != 1 dependency and #588505 in dpkg
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 11 Nov 2014 19:24:21 +0300
+
+busybox (1:1.22.0-10) unstable; urgency=high
+
+  * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945)
+  * add Built-Using control field for -static, deriving it from
+    regular build (this will be glibc) (Closes: #768876)
+  * install only arch/indep deb as requested by binary-arch or binary-indep
+    target.  This fixes a long-standing lintian error, when package build
+    always produces busybox-syslogd package which is arch:all and should not
+    be built on a buildd.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Tue, 11 Nov 2014 17:07:34 +0300
+
 busybox (1:1.22.0-9) unstable; urgency=medium

   * cherry-pick find /BITS patch from upstream (Closes: #760637)
diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control
--- busybox-1.22.0/debian/control	2014-09-30 08:35:20.000000000 +0400
+++ busybox-1.22.0/debian/control	2014-11-14 12:52:17.000000000 +0300
@@ -5,7 +5,10 @@
 Uploaders: Bastian Blank <waldi@debian.org>, Michael Tokarev <mjt@tls.msk.ru>
 Build-Depends: debhelper (>= 9),
 # needs for testsuite to run
-  zip
+  zip,
+# glibc static-nss #754813, 2.19..2.19-11, -12 is ok. Depend on libc-dev-bin
+# as it is the package which is named the same on all architectures
+ libc-dev-bin (>> 2.19-12~) | libc-dev-bin (<< 2.19),
 Standards-Version: 3.9.5
 Vcs-Git: git://anonscm.debian.org/d-i/busybox.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=d-i/busybox.git
@@ -33,6 +36,7 @@

 Package: busybox-static
 Architecture: any
+Built-Using: ${built-using}
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: busybox
 Replaces: busybox
diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch
--- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	1970-01-01 03:00:00.000000000 +0300
+++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch	2014-11-10 15:06:53.000000000 +0300
@@ -0,0 +1,67 @@
+From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 30 Jun 2014 10:14:34 +0200
+Subject: lzop: add overflow check
+Bug-Debian: http://bugs.debian.org/768945
+
+See CVE-2014-4607
+http://www.openwall.com/lists/oss-security/2014/06/26/20
+
+function                                             old     new   delta
+lzo1x_decompress_safe                               1010    1031     +21
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ archival/libarchive/liblzo.h  |    2 ++
+ archival/libarchive/lzo1x_d.c |    3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h
+index 843997c..4596620 100644
+--- a/archival/libarchive/liblzo.h
++++ b/archival/libarchive/liblzo.h
+@@ -76,11 +76,13 @@
+ #    define TEST_IP             (ip < ip_end)
+ #    define NEED_IP(x) \
+             if ((unsigned)(ip_end - ip) < (unsigned)(x))  goto input_overrun
++#    define TEST_IV(x)          if ((x) > (unsigned)0 - (511)) goto input_overrun
+
+ #    undef TEST_OP              /* don't need both of the tests here */
+ #    define TEST_OP             1
+ #    define NEED_OP(x) \
+             if ((unsigned)(op_end - op) < (unsigned)(x))  goto output_overrun
++#    define TEST_OV(x)          if ((x) > (unsigned)0 - (511)) goto output_overrun
+
+ #define HAVE_ANY_OP 1
+
+diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c
+index 9bc1270..40b167e 100644
+--- a/archival/libarchive/lzo1x_d.c
++++ b/archival/libarchive/lzo1x_d.c
+@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 				ip++;
+ 				NEED_IP(1);
+ 			}
++			TEST_IV(t);
+ 			t += 15 + *ip++;
+ 		}
+ 		/* copy literals */
+@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 31 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len,
+ 						ip++;
+ 						NEED_IP(1);
+ 					}
++					TEST_IV(t);
+ 					t += 7 + *ip++;
+ 				}
+ #if defined(COPY_DICT)
+--
+1.7.10.4
+
diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series
--- busybox-1.22.0/debian/patches/series	2014-09-09 10:50:49.000000000 +0400
+++ busybox-1.22.0/debian/patches/series	2014-11-10 15:06:53.000000000 +0300
@@ -6,6 +6,7 @@
 libarchive-open_zipped-does-not-need-to-check-extensions.diff
 libbb-open_zipped-should-not-fail-on-non-compressed-files.diff
 zcat:-complain-if-input-is-not-compressed.diff
+lzop-add-overflow-check-CVE-2014-4607.patch

 # submitted fixes
 do-not-fail-on-missing-SIGPWR.patch
diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules
--- busybox-1.22.0/debian/rules	2014-09-30 08:49:10.000000000 +0400
+++ busybox-1.22.0/debian/rules	2014-11-13 00:22:41.000000000 +0300
@@ -41,11 +41,24 @@
 EXTRA_LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS)
 EXTRA_CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)

+${b}/test754813.stamp:
+	mkdir -p ${b}
+	@echo "Checking if libc can produce working static binaries"
+	echo 'int main(void) { return getpwnam("root") ? 0 : 1; }' > ${b}/test754813.c
+	${CC} -static -o ${b}/test754813 ${b}/test754813.c
+	@${b}/test754813 || { \
+	  echo "E: your libc does not produce working statically linked binaries" >&2 ; \
+	  echo "E: glibc-2.19 is known to have this bug: http://bugs.debian.org/754813"; >&2 ; \
+	  echo "E: and https://sourceware.org/bugzilla/show_bug.cgi?id=17250"; >&2 ; \
+	  echo "E: please update your libc" >&2 ; \
+	  exit 1 ; }
+	touch $@
+
 build: build-arch build-indep
 build-indep:

 ${b}/%/.stamp-setup: DIR = ${b}/$*
-${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS}
+${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS} ${b}/test754813.stamp
 	dh_testdir
 	rm -rf ${DIR}
 	mkdir -p ${DIR}
@@ -126,15 +139,22 @@
 	rm -rf ${b}
 	dh_clean

-binary-arch: ${b}/stamp-build
+# define $a variable to be one of -i (indep), -a (arch) or nothing (both)
+a :=
+binary-indep: a := -i
+binary-indep: install
+binary-arch: a := -a
+binary-arch: install
+binary: install
+
+install: ${b}/stamp-build
 	dh_testroot
 	dh_testdir
 	dh_prep

-	dh_installdirs
-	dh_installdocs
-	dh_installchangelogs
-	dh_install
+	dh_installdocs $a
+	dh_installchangelogs $a
+	dh_install $a

 # busybox
 	dh_install -pbusybox ${b}/deb/busybox /bin
@@ -165,21 +185,30 @@

 # common actions

-	dh_strip
-	dh_link
-	dh_compress
-	dh_fixperms
-	dh_installdeb
-	dh_shlibdeps
-	dh_gencontrol
-	dh_md5sums
-	dh_builddeb
+	dh_strip $a
+	dh_link $a
+	dh_compress $a
+	dh_fixperms $a
+	dh_installdeb $a
+	dh_shlibdeps $a
+
+# after shlibdeps finished, grab ${shlibs:Depends} from busybox package
+# and transform it into Built-Using field (also dpkg-query bug #588505)
+	if [ -f debian/busybox.substvars ]; then \
+	  pkgs=$$(sed -n -e's/([^)]*)//g' -e's/,//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \
+	  srcs=; for p in $$pkgs; do \
+	    srcs="$$srcs $$(dpkg-query -f '$${source:Package} (= $${source:Version}),' -W $$p)"; \
+	  done ; \
+	  echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \
+	fi

-binary: binary-indep binary-arch
+	dh_gencontrol $a
+	dh_md5sums $a
+	dh_builddeb $a

 .PHONY: binary binary-arch binary-indep \
 	build build-arch build-indep \
-	clean setup
+	clean setup install

 .PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \
 	${b}/stamp-%

--- End Message ---

--- Begin Message ---

To: Cyril Brulebois <kibi@debian.org>, 771208-done@bugs.debian.org

Cc: Mehdi Dogguy <mehdi@dogguy.org>, Michael Tokarev <mjt@tls.msk.ru>, debian-boot@lists.debian.org

Subject: Re: Bug#771208: unblock: busybox/1:1.22.0-14

From: Ivo De Decker <ivodd@debian.org>

Date: Fri, 27 Feb 2015 18:59:05 +0100

Message-id: <20150227175905.GE6127@ugent.be>

In-reply-to: <[🔎] 20150227142903.GT13817@mraw.org>

References: <54774721.2000003@msgid.tls.msk.ru> <20141127160003.GR6842@mraw.org> <54774C91.9080107@msgid.tls.msk.ru> <20141211075205.GB16960@ugent.be> <[🔎] 20150218212311.GF1473@dogguy.org> <[🔎] 20150218213050.GB8699@mraw.org> <[🔎] 20150221103148.GA2276@ugent.be> <[🔎] 20150227142903.GT13817@mraw.org>
Hi,

On Fri, Feb 27, 2015 at 03:29:03PM +0100, Cyril Brulebois wrote:
> > This probably counts as a d-i ack, but an explicit ack would be nice.
> 
> I probably really wanted to get stuff pushed to git first, but now that
> it's done… here's an explicit d-i ack for you.

Added unblock-udeb.

Cheers,

Ivo
--- End Message ---

Reply to:

Prev by Date: Bug#778734: marked as done (unblock: bind9/9.9.5.dfsg-9)
Next by Date: Bug#776144: unblock: dbus/1.8.16-1
Previous by thread: Bug#776276: marked as done (unblock: open-iscsi/2.0.873+git0.3b4b4500-8)
Next by thread: Processed: close 776144
Index(es):
- Date
- Thread