Bug#742882: apt: Does not support LFS .deb packages on 32-bit systems

To: submit@bugs.debian.org
Subject: Bug#742882: apt: Does not support LFS .deb packages on 32-bit systems
From: Guillem Jover <guillem@debian.org>
Date: Fri, 28 Mar 2014 14:42:41 +0100
Message-id: <[🔎] 20140328134241.GA31745@gaara.hadrons.org>
Reply-to: Guillem Jover <guillem@debian.org>, 742882@bugs.debian.org

Package: apt
Version: 0.9.16.1
Severity: normal

Hi!

Somewhat recently apt was fixed to add LFS for the ar containers, but
the tarballs within are still not LFS-safe on 32-bit systems.

Here's a list of issues I've spotted by code staring, I've not tested
anything, and I should create LFS .deb tests for the tar members too
in dpkg/pkg-tests.git.

Types (should be off_t, long long or any other 64-bit-safe type):

 - ARArchive::Member::Start.
 - pkgDirStream::Size.
 - pkgDirStream::Process(), Size and Pos arguments.
 - ExtractTar::Go(), Size and Read variables, and cast truncation.

The following I guess more out of correctness, as I don't expect to
see > 4 GiB control files around:

 - debDebFile::MemControlExtract::Length.
 - debDebFile::MemControlExtract::Process(), Size and Pos arguments.
 - debDebFile::MemControlExtract::TakeControl(), Size argument.

These are minor issues, and would be related to either bogus or
malicious archives, but probably still good to handle:

 - ExtractTar::Go(), GNU_LongLink and GNU_LongName short Length which
   would truncate from Itm.Size.

Thanks,
Guillem

Reply to:

Prev by Date: Bug#742835: apt: Garbage on apt-cache dumpavail with Acquire::GzipIndexes
Next by Date: Bug#742885: python-apt: Does not support LFS .deb packages on 32-bit systems
Previous by thread: Bug#742835: apt: Garbage on apt-cache dumpavail with Acquire::GzipIndexes
Next by thread: Bug#742885: python-apt: Does not support LFS .deb packages on 32-bit systems
Index(es):
- Date
- Thread