On Wed, 2021-08-11 16:25:01 +0200, Salvatore Bonaccorso wrote:
> Source: cpio
> Version: 2.13+dfsg-5
> Severity: serious
> Tags: upstream
> Justification: regression, has influences to other programs, partially FTBFS
> of packages, and other impact
> X-Debbugs-Cc: car...@debian.org
>
> Hi
>
> It looks that the fix for CVE-2021-38185 applied in 2.13+dfsg-5 causes
> a regression. I noticed it initally doing a kernel build, where we
> have the invocation
>
> ----cut---------cut---------cut---------cut---------cut---------cut-----
> dh_prep
> set -o pipefail; \
> cd debian/build/source_none; \
> ( \
> echo Makefile; \
> for arch in alpha arm arm64 ia64 m68k mips parisc powerpc riscv s390
> sh sparc x86; do \
> find arch/$arch -maxdepth 1 -name 'Makefile*' -print; \
> find arch/$arch \( -name 'Kbuild.platforms' -o -name
> 'Platform' \) -print; \
> find $(find arch/$arch \( -name include -o -name scripts \)
> -type d -print) -print; \
> done; \
> find include -print; \
> ) \
> | \
> cpio -pd --preserve-modification-time
> '/home/build/linux-5.13.9/debian/linux-headers-5.13.0-trunk-common//usr/src/linux-headers-5.13.0-trunk-common'
> cpio: h: Cannot stat: No such file or directory
> cpio: int.h: Cannot stat: No such file or directory
> cpio: .h: Cannot stat: No such file or directory
> cpio: ander.h: Cannot stat: No such file or directory
> cpio: .h: Cannot stat: No such file or directory
> cpio: -clock.h: Cannot stat: No such file or directory
> 94174 blocks
> ----cut---------cut---------cut---------cut---------cut---------cut-----
>
> but this was not a problem with 2.13+dfsg-4.
>
> Trying to track this down it looks that with 2.13+dfsg-4 works, while
> hangs with the new version:
>
> root@sid:~# cd $(mktemp -d) ; touch foo ; echo foo | cpio -pd $(python3 -c
> 'print("A" * 128)')
> 0 blocks
>
> Now updating cpio:
>
> root@sid:/tmp/tmp.1Q1sQ1UmJ3# apt-get install cpio
> Reading package lists... Done
> Building dependency tree... Done
> Reading state information... Done
> Suggested packages:
> libarchive1
> The following packages will be upgraded:
> cpio
> 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> Need to get 0 B/244 kB of archives.
> After this operation, 8192 B of additional disk space will be used.
> (Reading database ... 78465 files and directories currently installed.)
> Preparing to unpack .../cpio_2.13+dfsg-5_amd64.deb ...
> Unpacking cpio (2.13+dfsg-5) over (2.13+dfsg-4) ...
> Setting up cpio (2.13+dfsg-5) ...
> Processing triggers for man-db (2.9.4-2) ...
>
> and doing the same again:
>
> root@sid:/tmp/tmp.1Q1sQ1UmJ3# cd $(mktemp -d) ; touch foo ; echo foo | cpio
> -pd $(python3 -c 'print("A" * 128)')
> ^C
> root@sid:/tmp/tmp.1FBtWOr0jO#
>
> Regards,
> SalvatoreThank you for your report. Please test cpio_2.13+dfsg-6 Regards.
signature.asc
Description: PGP signature
