Bug#178735: marked as done (dpkg: broken debs can easily be installed)

Sun, 03 Mar 2019 18:49:13 -0800 

Your message dated Mon, 4 Mar 2019 03:43:23 +0100
with message-id <[email protected]>
and subject line Re: Bug#178735: dpkg: broken debs can easily be installed
has caused the Debian Bug report #178735,
regarding dpkg: broken debs can easily be installed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
178735: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=178735
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dpkg
Version: 1.10.9
Severity: normal
File: /usr/bin/dpkg


I had an easy time installing this

# dpkg -i mplayer-k6_0.90rc3-0.0_i386.deb 
Selecting previously deselected package mplayer-k6.
(Reading database ... 170217 files and directories currently installed.)
Unpacking mplayer-k6 (from mplayer-k6_0.90rc3-0.0_i386.deb) ...
Setting up mplayer-k6 (0.90rc3-0.0) ...

even though
$ dpkg -c mplayer-k6_0.90rc3-0.0_i386.deb|grep -v /$|wc -l
tar: Skipping to next header
tar: Archive contains obsolescent base-64 headers
tar: Error exit delayed from previous errors
dpkg-deb: subprocess tar returned error exit status 2
     42 #taking out dirs
$ wc -l md5sums 
     53  md5sums

i.e. the md5sums weren't even apparently done, or if they were then
missing files aren't causes for error. i.e. bad md sum will be caught
but missing files wont?
Anyway, I'm startled how easy it is to only install 3/4 of a .deb and
dpkg doesn't prevent it!

Perhaps I corrupted my copy of this file, I will retry later, but that's not 
the point.
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux debian 2.4.19-k7 #1 Sun Oct 6 20:29:56 EST 2002 i686
Locale: LANG=zh_TW.Big5, LC_CTYPE=zh_TW.Big5

Versions of packages dpkg depends on:
ii  dselect                       1.10.9     a user tool to manage Debian packa
ii  libc6                         2.3.1-9    GNU C Library: Shared libraries an

-- no debconf information

--- End Message ---
--- Begin Message --- 
Hi!

On Tue, 2003-01-28 at 10:31:49 +0800, Dan Jacobson wrote:
> Package: dpkg
> Version: 1.10.9
> Severity: normal
> File: /usr/bin/dpkg

> I had an easy time installing this
> 
> # dpkg -i mplayer-k6_0.90rc3-0.0_i386.deb 
> Selecting previously deselected package mplayer-k6.
> (Reading database ... 170217 files and directories currently installed.)
> Unpacking mplayer-k6 (from mplayer-k6_0.90rc3-0.0_i386.deb) ...
> Setting up mplayer-k6 (0.90rc3-0.0) ...
> 
> even though
> $ dpkg -c mplayer-k6_0.90rc3-0.0_i386.deb|grep -v /$|wc -l
> tar: Skipping to next header
> tar: Archive contains obsolescent base-64 headers
> tar: Error exit delayed from previous errors
> dpkg-deb: subprocess tar returned error exit status 2
>      42 #taking out dirs
> $ wc -l md5sums 
>      53  md5sums
> 
> i.e. the md5sums weren't even apparently done, or if they were then
> missing files aren't causes for error. i.e. bad md sum will be caught
> but missing files wont?
> Anyway, I'm startled how easy it is to only install 3/4 of a .deb and
> dpkg doesn't prevent it!
> 
> Perhaps I corrupted my copy of this file, I will retry later, but that's not 
> the point.

No, the file was generated with a tar version that was creating base64
fields in the tar entries, and dpkg was not supporting those.

The parsing of tar archives has since been made more robust and
strict, and this should not happen anymore. I modiyfied an existing
.deb to convert its size field into the obsolete base64 format (and
updating its checksum to make it valid), and also damaged one of the
entries by tweaking its chekcsum so it would not validate. This is the
resulting .deb:

  ,---
  $ dpkg-deb -c fbset_2.1-30_amd64.deb
  drwxr-xr-x root/root         0 2017-11-12 00:29 ./
  drwxr-xr-x root/root         0 2017-11-12 00:29 ./bin/
  tar: Archive contains obsolescent base-64 headers
  -rwxr-xr-x root/root     14328 2017-11-12 00:29 ./bin/con2fbmap
  […]
  drwxr-xr-x root/root         0 2017-11-12 00:29 ./usr/share/doc/fbset/
  tar: Skipping to next header
  -rw-r--r-- root/root      1776 1999-01-17 20:15 
./usr/share/doc/fbset/GetVideoMode.c.gz
  […]
  -rw-r--r-- root/root      1827 2017-11-12 00:29 
./usr/share/man/man5/fb.modes.5.gz
  tar: Exiting with failure status due to previous errors
  dpkg-deb: error: tar subprocess returned error exit status 2
  `---

This then generates the following error during installation:

  ,---
  $ sudo dpkg  -i fbset_2.1-30_amd64.deb
  (Reading database ... 286793 files and directories currently installed.)
  Preparing to unpack fbset_2.1-30_amd64.deb ...
  Unpacking fbset (2.1-30) over (2.1-30) ...
  dpkg: error processing archive fbset_2.1-30_amd64.deb (--install):
   corrupted filesystem tarfile in package archive: invalid tar header size 
field (Numerical result out of range)
  dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
  Errors were encountered while processing:
   fbset_2.1-30_amd64.deb
  `---

So this problem reported is fixed. But during the testing of this I
found a couple of problems (a double free, and some confusing error
messages which I'll be fixing for 1.19.6.

In any case, I'm closing this report as solved now.

Thanks,
Guillem

--- End Message ---

Reply via email to