If an archive declares it needs it, lzma -d will allocate 4 GiB of memory to decompress it. This shouldn’t be an issue with .deb files from the Debian archive, but occasionally a person might want to at least examine the contents of an untrusted package.
If the lzma command is provided by XZ Utils, then "lzma -d" already limits memory usage, even without this patch. An option to override the memory limit is essential to unpack archives exceeding the default memory limit. I previously sent these patches as part of the xz support series. They also apply on top of the compression code refactoring just sent. Thoughts? Jonathan Nieder (4): Add tuklib_physmem() from XZ Utils dpkg-deb: set a memory usage limit for lzma -d dpkg: change pass_admindir to a bool dpkg: add --memlimit option, passed to dpkg-deb configure.ac | 2 + debian/copyright | 3 + dpkg-deb/dpkg-deb.h | 3 + dpkg-deb/extract.c | 2 +- dpkg-deb/main.c | 24 ++++++ lib/dpkg/Makefile.am | 5 + lib/dpkg/compression-backend.c | 100 ++++++++++++++++++++++++- lib/dpkg/compression-backend.h | 6 +- lib/dpkg/compression.c | 8 +- lib/dpkg/dpkg.h | 4 +- lib/tuklib/sysdefs.h | 165 ++++++++++++++++++++++++++++++++++++++++ lib/tuklib/tuklib_common.h | 71 +++++++++++++++++ lib/tuklib/tuklib_config.h | 1 + lib/tuklib/tuklib_physmem.c | 146 +++++++++++++++++++++++++++++++++++ lib/tuklib/tuklib_physmem.h | 28 +++++++ m4/tuklib_common.m4 | 22 +++++ m4/tuklib_physmem.m4 | 119 +++++++++++++++++++++++++++++ man/dpkg-deb.1 | 8 ++ man/dpkg.1 | 6 ++ src/main.c | 22 +++++- src/main.h | 1 + src/processarc.c | 11 +++- 22 files changed, 745 insertions(+), 12 deletions(-) create mode 100644 lib/tuklib/sysdefs.h create mode 100644 lib/tuklib/tuklib_common.h create mode 100644 lib/tuklib/tuklib_config.h create mode 100644 lib/tuklib/tuklib_physmem.c create mode 100644 lib/tuklib/tuklib_physmem.h create mode 100644 m4/tuklib_common.m4 create mode 100644 m4/tuklib_physmem.m4 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
