Your message dated Fri, 17 Mar 2017 09:32:17 +0000 with message-id <[email protected]> and subject line Bug#857975: fixed in strip-nondeterminism 0.032-1 has caused the Debian Bug report #857975, regarding strip-nondeterminism: endless loop while stripping ar files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 857975: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857975 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: strip-nondeterminism Version: 0.031-1 Severity: important It is possible to trigger an endless loop while stripping ar files which contain an illegal file size. How to reproduce: echo H4sICHfpylgCA3Rlc3QuYQBTtEksSs6w49JXQAUGGGwIaWZiA\ qZ1zWAqErgAcKtfFkQAAAA= | base64 -d | gzip -d > loop.a strip-nondeterminism loop.a See this patch for a possible solution: diff --git a/lib/File/StripNondeterminism/handlers/ar.pm b/lib/File/StripNondeterminism/handlers/ar.pm index 660fa8f..a71307a 100644 --- a/lib/File/StripNondeterminism/handlers/ar.pm +++ b/lib/File/StripNondeterminism/handlers/ar.pm @@ -67,6 +67,8 @@ sub normalize { my $file_size = substr($buf, 48, 10); seek $fh, $file_header_start + 16, SEEK_SET; + die "Incorrect file size" if $file_size < 1; + # mtime syswrite $fh, sprintf("%-12d", $File::StripNondeterminism::canonical_time // 0);
--- End Message ---
--- Begin Message ---Source: strip-nondeterminism Source-Version: 0.032-1 We believe that the bug you reported is fixed in the latest version of strip-nondeterminism, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <[email protected]> (supplier of updated strip-nondeterminism package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 17 Mar 2017 09:25:53 +0100 Source: strip-nondeterminism Binary: libfile-stripnondeterminism-perl strip-nondeterminism dh-strip-nondeterminism Architecture: source Version: 0.032-1 Distribution: unstable Urgency: medium Maintainer: Reproducible builds folks <[email protected]> Changed-By: Chris Lamb <[email protected]> Description: dh-strip-nondeterminism - file non-deterministic information stripper — Debhelper add-on libfile-stripnondeterminism-perl - file non-deterministic information stripper — Perl module strip-nondeterminism - file non-deterministic information stripper — stand-alone tool Closes: 857975 Changes: strip-nondeterminism (0.032-1) unstable; urgency=medium . * Add support for testing files we should reject. * Fix a possible endless loop while stripping ar files due to trusting the file's file size data. Thanks to Tobias Stoeckmann ([email protected]) for the report, patch and testcase. (Closes: #857975) Checksums-Sha1: 5c7b3baec770e0dbbf626c4c08d1627ba2740e7a 2428 strip-nondeterminism_0.032-1.dsc 222fa7cfec2b771448ae43ef6017fd6f1b077acc 170232 strip-nondeterminism_0.032.orig.tar.gz b5f0bdc92832cbf4235ff6844429feb5fd4ebb92 10656 strip-nondeterminism_0.032-1.debian.tar.xz 299fa14f57a4b0183bad3e1cdc243ab6effc77ef 6526 strip-nondeterminism_0.032-1_amd64.buildinfo Checksums-Sha256: fd7e0efca2ef0092f953f01af3df8f5c48ad3b04e59c9915329dd695118e971c 2428 strip-nondeterminism_0.032-1.dsc 43912c367deaf3d2bf545180e07545415c5e0ee7461481e9d89e66328a591b89 170232 strip-nondeterminism_0.032.orig.tar.gz 10b2157dce83082b72d17ce6eb2fa8039bd06c114ade1bea39751434df561263 10656 strip-nondeterminism_0.032-1.debian.tar.xz dc29bc47cad0eab3d6657991d31cd832fb0fad32c07cc33c08948f62744f5296 6526 strip-nondeterminism_0.032-1_amd64.buildinfo Files: facaeab6ce2d6bf7d0fab97485da4b1d 2428 devel optional strip-nondeterminism_0.032-1.dsc defb33ee0bb1ec987e370aecf9d4300c 170232 devel optional strip-nondeterminism_0.032.orig.tar.gz 2f0ec3ccedbc053b8debb9135abe70c9 10656 devel optional strip-nondeterminism_0.032-1.debian.tar.xz 2acf8cb74c735df6344f319133e8c10a 6526 devel optional strip-nondeterminism_0.032-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljLnesACgkQHpU+J9Qx HlgC7xAAoi1HS9yxX22VAFHDA5uJrIE8uA+g/c4jMFqtPNpO7YteAWg2GVlO+LiT M2Ws7bqzcVGviLEmC3g6wHpfSIqfMKIQSsMnqejKqsxIITjA83K8vKuuAAKT5kcw +LvQfPaGImqoT0pJuj6s75Pigav7GqpzoIdH972zfYbBdTNN7CgKAbPcYtUO5d4B EEs4eFbu8ZEzCCZtf5+pTScAK/rPhcu7fYiDwvVwUv+NpESQIKNwSbj0skeD+eS9 3Sqzs8C52uYRSxV3c+z2JPAHVYkUICXPT+8UzJoDR537uvwHuCpZPQGEvxzOXpeR vDjYB3tjzPijJF0+xsVZ6uC4t7W79YX76Le3W/wJ1aWP/WbTnbPBYHUMxVNPylWC 9Jzp1tGL4iQ635zmtmtikvJ5Y+oSsxQFYwyllHE4dtLNZEzZAyPjYsoSYJKR1PAz BEL25I3rz/QcIsWAolFnPukRctGhnpoTGzcBW9+LqpwVO1Q8HQUKjHWHQDiV9hNx SWrZ4h8l+J05vVgimWqaJrLJab7oRLP0qcOgMA39c0cXxW/7h6PHfq3mpqw/GakK V7HHOY/LWnnLhBa2x+Wcd43xY16PMLYE4msFWv6Nipc6unnXEluoz5FFrWOHX271 +ZbSw2wTA/N9VnoRTMJwN5dUgOW1eAdeDJz9gTCDZ7Hj1FWJPpQ= =R+iH -----END PGP SIGNATURE-----
--- End Message ---
