Your message dated Mon, 17 Jun 2024 16:47:08 +0000
with message-id <[email protected]>
and subject line Bug#1050288: fixed in nsis 3.08-3+deb12u1
has caused the Debian Bug report #1050288,
regarding nsis 3.08-3 (bookworm) generates bogus relocation information
(regression)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050288
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nsis
Version: 3.08-3
Severity: important
makensis 3.08-3 on bookworm creates installers with a non-empty
relocation section which contains garbage.
The installers work, but trigger false positive warnings from security
scanners, likely due to exe file corruption.
Testcase:
$ dpkg --list nsis nsis-common
...
ii nsis 3.08-3 amd64 ...
ii nsis-common 3.08-3 all ...
$ cat test.nsi
Section "Empty"
SectionEnd
$ makensis test.nsi
...
$ objdump -p test.exe >/dev/null
objdump: error: test.exe(.reloc) is too large (0x8e4 bytes)
$ objdump -p test.exe 2>/dev/null
...
Entry 5 00047000 000008e4 Base Relocation Directory [.reloc]
...
$ objdump -p /usr/share/nsis/Stubs/zlib-x86-unicode
...
Entry 5 00047000 000008e4 Base Relocation Directory [.reloc]
...
PE File Base Relocations (interpreted .reloc section contents)
Virtual Address: 00001000 Chunk size 196 (0xc4) Number of fixups 94
reloc 0 offset 2b [102b] HIGHLOW
reloc 1 offset 40 [1040] HIGHLOW
...
Virtual Address: 0000c000 Chunk size 216 (0xd8) Number of fixups 104
reloc 1 offset 8 [c008] HIGHLOW
reloc 2 offset c [c00c] HIGHLOW
...
reloc 102 offset 8f8 [c8f8] HIGHLOW
reloc 103 offset 8fc [c8fc] HIGHLOW
All the stubs apparently have a non-empty relocation section with
garbage. This is not the case for the stubs from nsis-common-3.06.1-1
(bullseye) and nsis-common-3.09-1 (sid).
This is also not the case with the upstream 3.08 and 3.09 builds for
windows which are available at
https://sourceforge.net/projects/nsis/files/NSIS%203/
Related: https://sourceforge.net/p/nsis/bugs/1299/
--
Regards
Christian Franke
smartmontools.org
--- End Message ---
--- Begin Message ---
Source: nsis
Source-Version: 3.08-3+deb12u1
Done: Thomas Gaugler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nsis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Gaugler <[email protected]> (supplier of updated nsis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Feb 2024 11:18:05 +0100
Source: nsis
Architecture: source
Version: 3.08-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Thomas Gaugler <[email protected]>
Changed-By: Thomas Gaugler <[email protected]>
Closes: 1040880 1050288
Changes:
nsis (3.08-3+deb12u1) bookworm; urgency=medium
.
* Cherry-pick upstream commits to fix CVE-2023-37378 (Closes: #1040880)
* Use common options for nsis-doc installation
* Exclude Debian revison suffix from VER_REVISION
* Backport upstream commit to disable stub relocations (Closes: #1050288)
Checksums-Sha1:
9b8a1ee43d18f41bec9a3fea5012aed64cac3b59 1633 nsis_3.08-3+deb12u1.dsc
8e49435ca97a7bec1b2248d778bb7e1acb24267b 32284
nsis_3.08-3+deb12u1.debian.tar.xz
Checksums-Sha256:
68b74caa1c1123d6771282b373b485d740ba8013f7b54bcc30238a3d54973278 1633
nsis_3.08-3+deb12u1.dsc
15964a928584aadee8a71e35fc456d32f2e6b9b9ed491c6f6e49906cdffb3c07 32284
nsis_3.08-3+deb12u1.debian.tar.xz
Files:
9a949c5ae5ab32b1c0fbb86cd2e96434 1633 devel optional nsis_3.08-3+deb12u1.dsc
d76fb11d9706b874061dfab5200a0729 32284 devel optional
nsis_3.08-3+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQTjpQ0b6NokWkvBQbzqgwvGpoTNfAUCZnACYAAKCRDqgwvGpoTN
fFRWAQCWsqrwUHJXlldo2M4Yc5ZgeQFOTEp06wm4M4fgQwocQgD/WvSPH/bUrwzm
08ALnEE07/XH3E/3g6NbjpHFW0mhkgw=
=ruhL
-----END PGP SIGNATURE-----
pgpZm7lDqDoVd.pgp
Description: PGP signature
--- End Message ---
