Bug#1051322: marked as done (libarchive: Use native order of the files in ISO images)

[Debian Bug Tracking System]

Your message dated Sat, 14 Oct 2023 15:49:54 +0000
with message-id <e1qrgtm-00ebyh...@fasolo.debian.org>
and subject line Bug#1051322: fixed in libarchive 3.7.2-1
has caused the Debian Bug report #1051322,
regarding libarchive: Use native order of the files in ISO images
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1051322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051322
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libarchive13
Version: 3.6.2-1
Severity: normal
Tags: patch

Hello maintainers of libarchive,

While building the Debian Live ISO images, I've seen that the output of 'bsdtar
-tf myfile.ISO' has a reordering of the hardlinks and symlinks that are inside
the ISO image [1].

At [1] I've provided a minimal example to generate 2 ISO files with a small
difference.
With 'bsdtar -tf filename' it can be seen that the linked files are not
processed in the native order in the ISO file.
For comparison, 'isoinfo' outputs the files in the native order.

I've traced it down to a key collision issue and provide a patch.
For a 100% solution, it would need a 128-bit key, but I didn't want to walk
that road, given the current size of ISO images.

If you prefer it, I can also generate a MR.

With kind regards,
Roland Clobus

[1] https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/350


-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libarchive13 depends on:
ii  libacl1     2.3.1-3
ii  libbz2-1.0  1.0.8-5+b1
ii  libc6       2.37-7
ii  liblz4-1    1.9.4-1
ii  liblzma5    5.4.4-0.1
ii  libnettle8  3.9.1-2
ii  libxml2     2.9.14+dfsg-1.3
ii  libzstd1    1.5.5+dfsg2-1
ii  zlib1g      1:1.2.13.dfsg-3

libarchive13 recommends no packages.

Versions of packages libarchive13 suggests:
pn  lrzip  <none>

-- no debconf information

diff --git a/libarchive/archive_read_support_format_iso9660.c 
b/libarchive/archive_read_support_format_iso9660.c
index 33bf330c..1690b800 100644
--- a/libarchive/archive_read_support_format_iso9660.c
+++ b/libarchive/archive_read_support_format_iso9660.c
@@ -3015,6 +3015,11 @@ heap_add_entry(struct archive_read *a, struct heap_queue 
*heap,
        uint64_t file_key, parent_key;
        int hole, parent;
 
+       /* Reserve 16 bits for possible key collisions (needed for linked 
items) */
+       /* For ISO files with more than 65535 entries, reordering will still 
occur */
+       key <<= 16;
+       key += heap->used & 0xFFFF;
+
        /* Expand our pending files list as necessary. */
        if (heap->used >= heap->allocated) {
                struct file_info **new_pending_files;

--- End Message ---

--- Begin Message ---

Source: libarchive
Source-Version: 3.7.2-1
Done: Peter Pentchev <r...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1051...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Pentchev <r...@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Oct 2023 18:28:55 +0300
Source: libarchive
Architecture: source
Version: 3.7.2-1
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <r...@debian.org>
Changed-By: Peter Pentchev <r...@debian.org>
Closes: 1051322
Changes:
 libarchive (3.7.2-1) unstable; urgency=medium
 .
   * Add the iso9660-hash patch to fix file ordering. Closes: #1051322
   * Add the year 2023 to my debian/* copyright notice.
   * Declare compatibility with version 1 of the dpkg build API:
     - drop the implied Rules-Requires-Root declaration
     - include dpkg's default.mk file for completeness
   * Use dh-package-notes to record ELF package metadata.
   * New upstream version:
     - build and install the new bsdunzip tool in libarchive-tools
     - drop the iconv-pkgconfig patch, applied upstream
     - update the upstream copyright information
   * Do not detect -amd64 versions in the watch file.
   * Add the test-zstd-32bit upstream patch.
Checksums-Sha1:
 6d68464e4284dab16006a2cf154b266fe0b0b8ac 2689 libarchive_3.7.2-1.dsc
 e87b78ef5e9328d99f537a42de7c64492597945d 5237056 libarchive_3.7.2.orig.tar.xz
 6ce80a5e20c287c794ce67f6088bbbfcebd9dbca 659 libarchive_3.7.2.orig.tar.xz.asc
 9976d0bb908b691585af8fc7f5d4792eb8ef611d 26740 libarchive_3.7.2-1.debian.tar.xz
Checksums-Sha256:
 10de781c74b44e57f389167b42cd77b81658b642c598095c93e45c1528e994e4 2689 
libarchive_3.7.2-1.dsc
 04357661e6717b6941682cde02ad741ae4819c67a260593dfb2431861b251acb 5237056 
libarchive_3.7.2.orig.tar.xz
 2c2b98622c2f3e59608118fae3e412c900100ec1bf9f825775930b3a8b4f5635 659 
libarchive_3.7.2.orig.tar.xz.asc
 7ddb0fda6d45f8eaa7b67741d0e68601193e9dc00fab977872999d040ba89fae 26740 
libarchive_3.7.2-1.debian.tar.xz
Files:
 c8da48bedb08c2603564687d22bd57a3 2689 libs optional libarchive_3.7.2-1.dsc
 4f4ef6a17c7b0b484aa2c95aa6deefac 5237056 libs optional 
libarchive_3.7.2.orig.tar.xz
 6b8a0e8bd9408de41a702eeeae281fe4 659 libs optional 
libarchive_3.7.2.orig.tar.xz.asc
 9a31d8028c28d654766f142d930b993f 26740 libs optional 
libarchive_3.7.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmUqtGAQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE+1ND/9lL2Upf5f/sQNgOmcseet/B/Xtll+y2ZiM
rauLY5Te9JWZ+fdv+XXnCACOEKy8WpbwbrS6/dAm/PxirNlzhrbGT6SDuR6pylar
a02QSeyNT87CwbOtRpgtJC8p9ml/LnHGepcJ4NmzfVm6nHlNDC8hYW6Wq8c8fzYi
RpVKW/WxNh2X7tSyowvfmKvSdawGyXbbaC1uAoHUmPQUrdnpj9dp2kI4MGrHqVtN
laW8x3HJrpKiKkt90OyoEQ3gFMZjDmhA6te5KFlURH23Z5yvlzFmWAMjzcHuG+xe
pM5iCa+H02b2uTop0SXiVhXntAzE+AZMeqmuzmETGSN84GP2RZEi/S9Mc9SaRNSl
R4dBp8WJE3IL4MtREuLblS+Dg4kB0FyeuSU2G2RhL5XKCsq3fod2h3HObOSvzU/G
0oFW6zqiR0xrN5q+JVnlCB92E+2yxZXdjChEISgLJJYdmH+oNhQEyOGdtIzzSBPK
PwX0511GGPdEG++CBaVoqe5sAzcOuX2HFG0yoeuRqAMwAcLZIPyajqq7eb98dxUg
EfbjfLuGQG1G4kGrDU2T8mAfF/oyKaLiv3uwh+ult51alGxBTZk8sZNa961Z8c8D
OaDVbm8tD8PSGSHr72AXEO6PXNPURxFjWMpUstAkFQzUqO0nSOLYtObe8hpbGkvm
m8DtU7sMnA==
=t6GY
-----END PGP SIGNATURE-----

--- End Message ---