Bug#1050288: nsis 3.08-3 (bookworm) generates bogus relocation information (regression)
On Sat, 26 Aug 2023 14:23, Thomas Gaugler wrote: Therefore I would appreciate if you create a "bookworm proposed updates request" by issuing the "reportbug release.debian.org" command on a Debian system. I did, but obviously it was incomplete. Unfortunately the immediate error report didn't reach my mailbox: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050588 Could you possibly complete this as I'm (obviously) unfamiliar with the Debian release process & policies. Thanks, Christian smartmontools.org
Bug#1050288: nsis 3.08-3 (bookworm) generates bogus relocation information (regression)
Thank you for your detailed bug report. I built the nsis_3.09-1 and nsis-common_3.09-1 packages on Debian Bookworm, installed the resulting packages and can confirm with the two Nullsoft Installer (.nsi) scripts provided by you that the resulting installer executables no longer show the "(.reloc) is too large" error with objdump. Therefore I would appreciate if you create a "bookworm proposed updates request" by issuing the "reportbug release.debian.org" command on a Debian system. Please mention in "reportbug" this bug report, provide your observations and results of your tests and also refer to the fixed security vulnerability (Bug#1040880: nsis: CVE-2023-37378) in nsis_3.09-1.
Bug#1050288: nsis 3.08-3 (bookworm) generates bogus relocation information (regression)
A manual download of nsis{-common}-3.09-1 from debian testing and 'dpgk
--install --force-all' succeeded and makensis works then. With this
version, the problem does not occur.
A backport of this version to bookworm should fix the problem.
Bug#1050288: nsis 3.08-3 (bookworm) generates bogus relocation information (regression)
Severity of this bug promoted to 'grave' because further tests show that generated installers may not work at all: Testcase: $ cat /etc/debian_version 12.1 $ makensis -VERSION v3.08-3 $ cat test.nsi RequestExecutionLevel user Section "Test" MessageBox MB_OK "Hello, World!" SectionEnd $ makensis test.nsi ... $ objdump -p test-debian.exe >/dev/null BFD: error: test-debian.exe(.reloc) is too large (0x8e4 bytes) If test.exe is started on a Windows machine, CreateProcess() fails with GetLastError()==193 (ERROR_BAD_EXE_FORMAT). The same installer built with upstream NSIS 3.09 on Windows is much smaller and works: -rwxr-xr-x 1 ... 94699 Aug 24 09:45 test.exe -rwxr-xr-x 1 ... 38886 Aug 24 09:43 test-built-on-windows.exe
Bug#1050288: nsis 3.08-3 (bookworm) generates bogus relocation information (regression)
Control: severity -1 grave
Bug#1050288: nsis 3.08-3 (bookworm) generates bogus relocation information (regression)
Package: nsis Version: 3.08-3 Severity: important makensis 3.08-3 on bookworm creates installers with a non-empty relocation section which contains garbage. The installers work, but trigger false positive warnings from security scanners, likely due to exe file corruption. Testcase: $ dpkg --list nsis nsis-common ... ii nsis 3.08-3 amd64 ... ii nsis-common 3.08-3 all ... $ cat test.nsi Section "Empty" SectionEnd $ makensis test.nsi ... $ objdump -p test.exe >/dev/null objdump: error: test.exe(.reloc) is too large (0x8e4 bytes) $ objdump -p test.exe 2>/dev/null ... Entry 5 00047000 08e4 Base Relocation Directory [.reloc] ... $ objdump -p /usr/share/nsis/Stubs/zlib-x86-unicode ... Entry 5 00047000 08e4 Base Relocation Directory [.reloc] ... PE File Base Relocations (interpreted .reloc section contents) Virtual Address: 1000 Chunk size 196 (0xc4) Number of fixups 94 reloc 0 offset 2b [102b] HIGHLOW reloc 1 offset 40 [1040] HIGHLOW ... Virtual Address: c000 Chunk size 216 (0xd8) Number of fixups 104 reloc 1 offset 8 [c008] HIGHLOW reloc 2 offset c [c00c] HIGHLOW ... reloc 102 offset 8f8 [c8f8] HIGHLOW reloc 103 offset 8fc [c8fc] HIGHLOW All the stubs apparently have a non-empty relocation section with garbage. This is not the case for the stubs from nsis-common-3.06.1-1 (bullseye) and nsis-common-3.09-1 (sid). This is also not the case with the upstream 3.08 and 3.09 builds for windows which are available at https://sourceforge.net/projects/nsis/files/NSIS%203/ Related: https://sourceforge.net/p/nsis/bugs/1299/ -- Regards Christian Franke smartmontools.org
