Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package busybox. Last upload has one security bugfix (CVE-2014-4607, #768945), the fix is from upstream stable branch, fixing an integer overflow in lzo decompressor; it adds a Built-Using control field for busybox-static variant (#768926), and also arranges build system to only produce binary or indep .debs (or both), depending on the d/rules target (binary-all vs binary-indep vs binary) -- this is a long-standing lintian bug which I overlooked previously. The busybox-static fix turned out to be a fun case, because I needed a way to build-conflict on a non-broken libc (because the original prob is in libc due to #754813), and that turned out to be a not-so- trivial task, which resulted in several iterations. Meanwhile I discovered that current glibc is not able to produce working stati- cally linked executables on hurd which uses nss functions -- statically linked executable on hurd just segfaults. So now, after a fix for #768926, busybox package does not build on hurd, while previously it silently produced failing busybox-static. Hurd people are working on the fix. (The Built-Using field generation is a bit fun here: I asked on IRC how people identify which libc is in use, and got various somewhat- incpmplete replies (the prob is that on different arches, libc package is named differently). So I invented my own way for busybox, because this package allows me to do that -- I took the contents of $shlibs:Depends variable for the dynamically-linked version, and transformed it into a list of sources required for Built-Using using dpkg-query.) There's no code changes except the lzo decompression bugfix, only packaging changes. Since busybox is used in d-i too, I kindly request for a udeb-unblock too. Previously I submitted an unblock request for busybox 1.22.0-10, as #769129, but that turned out to be a bit preliminary because of the fun with libc versioned build dependency iterations. Thank you! /mjt unblock busybox/1:1.22.0-14 diff -Nru busybox-1.22.0/debian/changelog busybox-1.22.0/debian/changelog --- busybox-1.22.0/debian/changelog 2014-09-30 08:50:20.000000000 +0400 +++ busybox-1.22.0/debian/changelog 2014-11-14 12:53:24.000000000 +0300 @@ -1,3 +1,46 @@ +busybox (1:1.22.0-14) medium; urgency=low + + * one more attempt to fix the glibc build-depend for #769190, now + using versioned build-dependency on libc-dev-bin which is named + this way on all architectures (unlike libc6|libc6.1|libc0.1|libc0.3) + + -- Michael Tokarev <m...@tls.msk.ru> Fri, 14 Nov 2014 12:52:18 +0300 + +busybox (1:1.22.0-13) unstable; urgency=medium + + * really fix #769190 the hard way, by build-conflicting with all + arch-specific names of libc with version <2.19-12 (Closes: #769190) + * check if glibc can produce working statically linked binaries + by performing a getpwnam("root") call before building (#754813) + + -- Michael Tokarev <m...@tls.msk.ru> Wed, 12 Nov 2014 23:59:30 +0300 + +busybox (1:1.22.0-12) unstable; urgency=medium + + * fix the previous changelog entry (wrong bug# was "fixed" and typos) + * ensure we build against non-broken glibc (>=2.19-12) (Closes: #769190) + + -- Michael Tokarev <m...@tls.msk.ru> Wed, 12 Nov 2014 12:37:11 +0300 + +busybox (1:1.22.0-11) unstable; urgency=medium + + * fix the built-using generation in the previous upload -- did not + work correctly for != 1 dependency and #588505 in dpkg + + -- Michael Tokarev <m...@tls.msk.ru> Tue, 11 Nov 2014 19:24:21 +0300 + +busybox (1:1.22.0-10) unstable; urgency=high + + * lzop-add-overflow-check-CVE-2014-4607.patch (Closes: #768945) + * add Built-Using control field for -static, deriving it from + regular build (this will be glibc) (Closes: #768876) + * install only arch/indep deb as requested by binary-arch or binary-indep + target. This fixes a long-standing lintian error, when package build + always produces busybox-syslogd package which is arch:all and should not + be built on a buildd. + + -- Michael Tokarev <m...@tls.msk.ru> Tue, 11 Nov 2014 17:07:34 +0300 + busybox (1:1.22.0-9) unstable; urgency=medium * cherry-pick find /BITS patch from upstream (Closes: #760637) diff -Nru busybox-1.22.0/debian/control busybox-1.22.0/debian/control --- busybox-1.22.0/debian/control 2014-09-30 08:35:20.000000000 +0400 +++ busybox-1.22.0/debian/control 2014-11-14 12:52:17.000000000 +0300 @@ -5,7 +5,10 @@ Uploaders: Bastian Blank <wa...@debian.org>, Michael Tokarev <m...@tls.msk.ru> Build-Depends: debhelper (>= 9), # needs for testsuite to run - zip + zip, +# glibc static-nss #754813, 2.19..2.19-11, -12 is ok. Depend on libc-dev-bin +# as it is the package which is named the same on all architectures + libc-dev-bin (>> 2.19-12~) | libc-dev-bin (<< 2.19), Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/d-i/busybox.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=d-i/busybox.git @@ -33,6 +36,7 @@ Package: busybox-static Architecture: any +Built-Using: ${built-using} Depends: ${shlibs:Depends}, ${misc:Depends} Conflicts: busybox Replaces: busybox diff -Nru busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch --- busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 1970-01-01 03:00:00.000000000 +0300 +++ busybox-1.22.0/debian/patches/lzop-add-overflow-check-CVE-2014-4607.patch 2014-11-10 15:06:53.000000000 +0300 @@ -0,0 +1,67 @@ +From a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.li...@googlemail.com> +Date: Mon, 30 Jun 2014 10:14:34 +0200 +Subject: lzop: add overflow check +Bug-Debian: http://bugs.debian.org/768945 + +See CVE-2014-4607 +http://www.openwall.com/lists/oss-security/2014/06/26/20 + +function old new delta +lzo1x_decompress_safe 1010 1031 +21 + +Signed-off-by: Denys Vlasenko <vda.li...@googlemail.com> +--- + archival/libarchive/liblzo.h | 2 ++ + archival/libarchive/lzo1x_d.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/archival/libarchive/liblzo.h b/archival/libarchive/liblzo.h +index 843997c..4596620 100644 +--- a/archival/libarchive/liblzo.h ++++ b/archival/libarchive/liblzo.h +@@ -76,11 +76,13 @@ + # define TEST_IP (ip < ip_end) + # define NEED_IP(x) \ + if ((unsigned)(ip_end - ip) < (unsigned)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (unsigned)0 - (511)) goto input_overrun + + # undef TEST_OP /* don't need both of the tests here */ + # define TEST_OP 1 + # define NEED_OP(x) \ + if ((unsigned)(op_end - op) < (unsigned)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (unsigned)0 - (511)) goto output_overrun + + #define HAVE_ANY_OP 1 + +diff --git a/archival/libarchive/lzo1x_d.c b/archival/libarchive/lzo1x_d.c +index 9bc1270..40b167e 100644 +--- a/archival/libarchive/lzo1x_d.c ++++ b/archival/libarchive/lzo1x_d.c +@@ -92,6 +92,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, + ip++; + NEED_IP(1); + } ++ TEST_IV(t); + t += 15 + *ip++; + } + /* copy literals */ +@@ -224,6 +225,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, + ip++; + NEED_IP(1); + } ++ TEST_IV(t); + t += 31 + *ip++; + } + #if defined(COPY_DICT) +@@ -265,6 +267,7 @@ int lzo1x_decompress_safe(const uint8_t* in, unsigned in_len, + ip++; + NEED_IP(1); + } ++ TEST_IV(t); + t += 7 + *ip++; + } + #if defined(COPY_DICT) +-- +1.7.10.4 + diff -Nru busybox-1.22.0/debian/patches/series busybox-1.22.0/debian/patches/series --- busybox-1.22.0/debian/patches/series 2014-09-09 10:50:49.000000000 +0400 +++ busybox-1.22.0/debian/patches/series 2014-11-10 15:06:53.000000000 +0300 @@ -6,6 +6,7 @@ libarchive-open_zipped-does-not-need-to-check-extensions.diff libbb-open_zipped-should-not-fail-on-non-compressed-files.diff zcat:-complain-if-input-is-not-compressed.diff +lzop-add-overflow-check-CVE-2014-4607.patch # submitted fixes do-not-fail-on-missing-SIGPWR.patch diff -Nru busybox-1.22.0/debian/rules busybox-1.22.0/debian/rules --- busybox-1.22.0/debian/rules 2014-09-30 08:49:10.000000000 +0400 +++ busybox-1.22.0/debian/rules 2014-11-13 00:22:41.000000000 +0300 @@ -41,11 +41,24 @@ EXTRA_LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) EXTRA_CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) +${b}/test754813.stamp: + mkdir -p ${b} + @echo "Checking if libc can produce working static binaries" + echo 'int main(void) { return getpwnam("root") ? 0 : 1; }' > ${b}/test754813.c + ${CC} -static -o ${b}/test754813 ${b}/test754813.c + @${b}/test754813 || { \ + echo "E: your libc does not produce working statically linked binaries" >&2 ; \ + echo "E: glibc-2.19 is known to have this bug: http://bugs.debian.org/754813" >&2 ; \ + echo "E: and https://sourceware.org/bugzilla/show_bug.cgi?id=17250" >&2 ; \ + echo "E: please update your libc" >&2 ; \ + exit 1 ; } + touch $@ + build: build-arch build-indep build-indep: ${b}/%/.stamp-setup: DIR = ${b}/$* -${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS} +${b}/%/.stamp-setup: debian/config/pkg/% debian/config/os/${DEB_HOST_ARCH_OS} ${b}/test754813.stamp dh_testdir rm -rf ${DIR} mkdir -p ${DIR} @@ -126,15 +139,22 @@ rm -rf ${b} dh_clean -binary-arch: ${b}/stamp-build +# define $a variable to be one of -i (indep), -a (arch) or nothing (both) +a := +binary-indep: a := -i +binary-indep: install +binary-arch: a := -a +binary-arch: install +binary: install + +install: ${b}/stamp-build dh_testroot dh_testdir dh_prep - dh_installdirs - dh_installdocs - dh_installchangelogs - dh_install + dh_installdocs $a + dh_installchangelogs $a + dh_install $a # busybox dh_install -pbusybox ${b}/deb/busybox /bin @@ -165,21 +185,30 @@ # common actions - dh_strip - dh_link - dh_compress - dh_fixperms - dh_installdeb - dh_shlibdeps - dh_gencontrol - dh_md5sums - dh_builddeb + dh_strip $a + dh_link $a + dh_compress $a + dh_fixperms $a + dh_installdeb $a + dh_shlibdeps $a + +# after shlibdeps finished, grab ${shlibs:Depends} from busybox package +# and transform it into Built-Using field (also dpkg-query bug #588505) + if [ -f debian/busybox.substvars ]; then \ + pkgs=$$(sed -n -e's/([^)]*)//g' -e's/,//g' -e's/^shlibs:Depends=//p' debian/busybox.substvars); \ + srcs=; for p in $$pkgs; do \ + srcs="$$srcs $$(dpkg-query -f '$${source:Package} (= $${source:Version}),' -W $$p)"; \ + done ; \ + echo "built-using=$$srcs" >> debian/busybox-static.substvars ; \ + fi -binary: binary-indep binary-arch + dh_gencontrol $a + dh_md5sums $a + dh_builddeb $a .PHONY: binary binary-arch binary-indep \ build build-arch build-indep \ - clean setup + clean setup install .PRECIOUS: ${b}/%/.stamp-setup ${b}/%/.stamp-build ${b}/%/.stamp-test \ ${b}/stamp-% -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org