On Wed, 2021-08-11 16:25:01 +0200, Salvatore Bonaccorso wrote: > Source: cpio > Version: 2.13+dfsg-5 > Severity: serious > Tags: upstream > Justification: regression, has influences to other programs, partially FTBFS > of packages, and other impact > X-Debbugs-Cc: car...@debian.org > > Hi > > It looks that the fix for CVE-2021-38185 applied in 2.13+dfsg-5 causes > a regression. I noticed it initally doing a kernel build, where we > have the invocation > > ----cut---------cut---------cut---------cut---------cut---------cut----- > dh_prep > set -o pipefail; \ > cd debian/build/source_none; \ > ( \ > echo Makefile; \ > for arch in alpha arm arm64 ia64 m68k mips parisc powerpc riscv s390 > sh sparc x86; do \ > find arch/$arch -maxdepth 1 -name 'Makefile*' -print; \ > find arch/$arch \( -name 'Kbuild.platforms' -o -name > 'Platform' \) -print; \ > find $(find arch/$arch \( -name include -o -name scripts \) > -type d -print) -print; \ > done; \ > find include -print; \ > ) \ > | \ > cpio -pd --preserve-modification-time > '/home/build/linux-5.13.9/debian/linux-headers-5.13.0-trunk-common//usr/src/linux-headers-5.13.0-trunk-common' > cpio: h: Cannot stat: No such file or directory > cpio: int.h: Cannot stat: No such file or directory > cpio: .h: Cannot stat: No such file or directory > cpio: ander.h: Cannot stat: No such file or directory > cpio: .h: Cannot stat: No such file or directory > cpio: -clock.h: Cannot stat: No such file or directory > 94174 blocks > ----cut---------cut---------cut---------cut---------cut---------cut----- > > but this was not a problem with 2.13+dfsg-4. > > Trying to track this down it looks that with 2.13+dfsg-4 works, while > hangs with the new version: > > root@sid:~# cd $(mktemp -d) ; touch foo ; echo foo | cpio -pd $(python3 -c > 'print("A" * 128)') > 0 blocks > > Now updating cpio: > > root@sid:/tmp/tmp.1Q1sQ1UmJ3# apt-get install cpio > Reading package lists... Done > Building dependency tree... Done > Reading state information... Done > Suggested packages: > libarchive1 > The following packages will be upgraded: > cpio > 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > Need to get 0 B/244 kB of archives. > After this operation, 8192 B of additional disk space will be used. > (Reading database ... 78465 files and directories currently installed.) > Preparing to unpack .../cpio_2.13+dfsg-5_amd64.deb ... > Unpacking cpio (2.13+dfsg-5) over (2.13+dfsg-4) ... > Setting up cpio (2.13+dfsg-5) ... > Processing triggers for man-db (2.9.4-2) ... > > and doing the same again: > > root@sid:/tmp/tmp.1Q1sQ1UmJ3# cd $(mktemp -d) ; touch foo ; echo foo | cpio > -pd $(python3 -c 'print("A" * 128)') > ^C > root@sid:/tmp/tmp.1FBtWOr0jO# > > Regards, > Salvatore
Thank you for your report. Please test cpio_2.13+dfsg-6 Regards.
signature.asc
Description: PGP signature