Debian Bug report logs -
#857975
strip-nondeterminism: endless loop while stripping ar files
Reported by: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 16 Mar 2017 19:51:07 UTC
Severity: important
Found in version strip-nondeterminism/0.031-1
Fixed in version strip-nondeterminism/0.032-1
Done: Chris Lamb <lamby@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Reproducible builds folks <reproducible-builds@lists.alioth.debian.org>:
Bug#857975; Package strip-nondeterminism.
(Thu, 16 Mar 2017 19:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Tobias Stoeckmann <tobias@stoeckmann.org>:
New Bug report received and forwarded. Copy sent to Reproducible builds folks <reproducible-builds@lists.alioth.debian.org>.
(Thu, 16 Mar 2017 19:51:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: strip-nondeterminism
Version: 0.031-1
Severity: important
It is possible to trigger an endless loop while stripping ar files which
contain an illegal file size.
How to reproduce:
echo H4sICHfpylgCA3Rlc3QuYQBTtEksSs6w49JXQAUGGGwIaWZiA\
qZ1zWAqErgAcKtfFkQAAAA= | base64 -d | gzip -d > loop.a
strip-nondeterminism loop.a
See this patch for a possible solution:
diff --git a/lib/File/StripNondeterminism/handlers/ar.pm b/lib/File/StripNondeterminism/handlers/ar.pm
index 660fa8f..a71307a 100644
--- a/lib/File/StripNondeterminism/handlers/ar.pm
+++ b/lib/File/StripNondeterminism/handlers/ar.pm
@@ -67,6 +67,8 @@ sub normalize {
my $file_size = substr($buf, 48, 10);
seek $fh, $file_header_start + 16, SEEK_SET;
+ die "Incorrect file size" if $file_size < 1;
+
# mtime
syswrite $fh,
sprintf("%-12d", $File::StripNondeterminism::canonical_time // 0);
Information forwarded
to debian-bugs-dist@lists.debian.org, Reproducible builds folks <reproducible-builds@lists.alioth.debian.org>:
Bug#857975; Package strip-nondeterminism.
(Fri, 17 Mar 2017 08:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Reproducible builds folks <reproducible-builds@lists.alioth.debian.org>.
(Fri, 17 Mar 2017 08:27:07 GMT) (full text, mbox, link).
Message #10 received at 857975@bugs.debian.org (full text, mbox, reply):
tags 857975 + pending
thanks
Fixed in Git:
https://anonscm.debian.org/git/reproducible/strip-nondeterminism.git/commit/?id=083b174c7c9245fed90af61ca8c001c8ead1b6d7
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Added tag(s) pending.
Request was from Chris Lamb <lamby@debian.org>
to control@bugs.debian.org.
(Fri, 17 Mar 2017 08:27:08 GMT) (full text, mbox, link).
Reply sent
to Chris Lamb <lamby@debian.org>:
You have taken responsibility.
(Fri, 17 Mar 2017 09:33:06 GMT) (full text, mbox, link).
Notification sent
to Tobias Stoeckmann <tobias@stoeckmann.org>:
Bug acknowledged by developer.
(Fri, 17 Mar 2017 09:33:06 GMT) (full text, mbox, link).
Message #17 received at 857975-close@bugs.debian.org (full text, mbox, reply):
Source: strip-nondeterminism
Source-Version: 0.032-1
We believe that the bug you reported is fixed in the latest version of
strip-nondeterminism, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 857975@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated strip-nondeterminism package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Mar 2017 09:25:53 +0100
Source: strip-nondeterminism
Binary: libfile-stripnondeterminism-perl strip-nondeterminism dh-strip-nondeterminism
Architecture: source
Version: 0.032-1
Distribution: unstable
Urgency: medium
Maintainer: Reproducible builds folks <reproducible-builds@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
dh-strip-nondeterminism - file non-deterministic information stripper — Debhelper add-on
libfile-stripnondeterminism-perl - file non-deterministic information stripper — Perl module
strip-nondeterminism - file non-deterministic information stripper — stand-alone tool
Closes: 857975
Changes:
strip-nondeterminism (0.032-1) unstable; urgency=medium
.
* Add support for testing files we should reject.
* Fix a possible endless loop while stripping ar files due to trusting the
file's file size data. Thanks to Tobias Stoeckmann (tobias@stoeckmann.org)
for the report, patch and testcase. (Closes: #857975)
Checksums-Sha1:
5c7b3baec770e0dbbf626c4c08d1627ba2740e7a 2428 strip-nondeterminism_0.032-1.dsc
222fa7cfec2b771448ae43ef6017fd6f1b077acc 170232 strip-nondeterminism_0.032.orig.tar.gz
b5f0bdc92832cbf4235ff6844429feb5fd4ebb92 10656 strip-nondeterminism_0.032-1.debian.tar.xz
299fa14f57a4b0183bad3e1cdc243ab6effc77ef 6526 strip-nondeterminism_0.032-1_amd64.buildinfo
Checksums-Sha256:
fd7e0efca2ef0092f953f01af3df8f5c48ad3b04e59c9915329dd695118e971c 2428 strip-nondeterminism_0.032-1.dsc
43912c367deaf3d2bf545180e07545415c5e0ee7461481e9d89e66328a591b89 170232 strip-nondeterminism_0.032.orig.tar.gz
10b2157dce83082b72d17ce6eb2fa8039bd06c114ade1bea39751434df561263 10656 strip-nondeterminism_0.032-1.debian.tar.xz
dc29bc47cad0eab3d6657991d31cd832fb0fad32c07cc33c08948f62744f5296 6526 strip-nondeterminism_0.032-1_amd64.buildinfo
Files:
facaeab6ce2d6bf7d0fab97485da4b1d 2428 devel optional strip-nondeterminism_0.032-1.dsc
defb33ee0bb1ec987e370aecf9d4300c 170232 devel optional strip-nondeterminism_0.032.orig.tar.gz
2f0ec3ccedbc053b8debb9135abe70c9 10656 devel optional strip-nondeterminism_0.032-1.debian.tar.xz
2acf8cb74c735df6344f319133e8c10a 6526 devel optional strip-nondeterminism_0.032-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAljLnesACgkQHpU+J9Qx
HlgC7xAAoi1HS9yxX22VAFHDA5uJrIE8uA+g/c4jMFqtPNpO7YteAWg2GVlO+LiT
M2Ws7bqzcVGviLEmC3g6wHpfSIqfMKIQSsMnqejKqsxIITjA83K8vKuuAAKT5kcw
+LvQfPaGImqoT0pJuj6s75Pigav7GqpzoIdH972zfYbBdTNN7CgKAbPcYtUO5d4B
EEs4eFbu8ZEzCCZtf5+pTScAK/rPhcu7fYiDwvVwUv+NpESQIKNwSbj0skeD+eS9
3Sqzs8C52uYRSxV3c+z2JPAHVYkUICXPT+8UzJoDR537uvwHuCpZPQGEvxzOXpeR
vDjYB3tjzPijJF0+xsVZ6uC4t7W79YX76Le3W/wJ1aWP/WbTnbPBYHUMxVNPylWC
9Jzp1tGL4iQ635zmtmtikvJ5Y+oSsxQFYwyllHE4dtLNZEzZAyPjYsoSYJKR1PAz
BEL25I3rz/QcIsWAolFnPukRctGhnpoTGzcBW9+LqpwVO1Q8HQUKjHWHQDiV9hNx
SWrZ4h8l+J05vVgimWqaJrLJab7oRLP0qcOgMA39c0cXxW/7h6PHfq3mpqw/GakK
V7HHOY/LWnnLhBa2x+Wcd43xY16PMLYE4msFWv6Nipc6unnXEluoz5FFrWOHX271
+ZbSw2wTA/N9VnoRTMJwN5dUgOW1eAdeDJz9gTCDZ7Hj1FWJPpQ=
=R+iH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 20 Apr 2017 07:29:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 13:54:31 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.