Bug#742882: apt: Does not support LFS .deb packages on 32-bit systems
Package: apt
Version: 0.9.16.1
Severity: normal
Hi!
Somewhat recently apt was fixed to add LFS for the ar containers, but
the tarballs within are still not LFS-safe on 32-bit systems.
Here's a list of issues I've spotted by code staring, I've not tested
anything, and I should create LFS .deb tests for the tar members too
in dpkg/pkg-tests.git.
Types (should be off_t, long long or any other 64-bit-safe type):
- ARArchive::Member::Start.
- pkgDirStream::Size.
- pkgDirStream::Process(), Size and Pos arguments.
- ExtractTar::Go(), Size and Read variables, and cast truncation.
The following I guess more out of correctness, as I don't expect to
see > 4 GiB control files around:
- debDebFile::MemControlExtract::Length.
- debDebFile::MemControlExtract::Process(), Size and Pos arguments.
- debDebFile::MemControlExtract::TakeControl(), Size argument.
These are minor issues, and would be related to either bogus or
malicious archives, but probably still good to handle:
- ExtractTar::Go(), GNU_LongLink and GNU_LongName short Length which
would truncate from Itm.Size.
Thanks,
Guillem
Reply to: