* Holger Levsen <hol...@layer-acht.org> [2024-04-10 19:43]:
> On Wed, Apr 10, 2024 at 06:12:21PM +0100, Chris Lamb wrote:
> > Holger Levsen wrote:
> >
> > > when building libscout 2.3.2-3 on current unstable, the result is also
> > > unreproducible, but diffoscope crashes when analysing the diff.
> > I think this is somewhat related to:
> > https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/362
> > … which was said to be fixed by Fay in
> > cc3b077f6ef97b4e20036e9823926fe633c7d4d0
> > that released as diffoscope version 263 on 2024-04-05.
> > However, I can see that the current output of libscout/amd64 on
> > tests.reproducible-builds.org is failing with this very version:
>
> yes, indeed.
>
> also, this happened before too, I'm sure about at least with diffoscope 260
> already.
>
> > Will loop Fay in via Salsa presently.
>
> thank you!
Salsa is probably better for figuring out what to do next, but I get these mails
too :)
The libscout.jar has duplicate ZIP entries in the central directory, pointing to
the same actual entry in the ZIP. So the "overlapped entries" error is entirely
correct, even if it's not a zip bomb.
>>> import zipfile
>>> zf = zipfile.ZipFile("libscout.jar")
>>> fh = zf.open("javax/annotation/CheckForNull.class")
zipfile.BadZipFile: Overlapped entries: 'javax/annotation/CheckForNull.class'
(possible zip bomb)
>>> len([i for i in zf.infolist() if i.filename ==
"javax/annotation/CheckForNull.class"])
2
>>> len(zf.namelist()) - len(set(zf.namelist()))
35
>>> x, y = [i for i in zf.infolist() if i.filename ==
"javax/annotation/CheckForNull.class"]
>>> x.header_offset
23065534
>>> y.header_offset
23065534
>>> x._end_offset
23065890
>>> y._end_offset
23065534
>>> zf.open(x)
<zipfile.ZipExtFile name='javax/annotation/CheckForNull.class' mode='r'
compress_type=deflate>
>>> zf.open(y)
Traceback (most recent call last):
zipfile.BadZipFile: Overlapped entries: 'javax/annotation/CheckForNull.class'
(possible zip bomb)
$ unzip -q -d foo libscout.jar
error: invalid zip file with overlapped components (possible zip bomb)
unzip does seem to extract all the files, though it errors out. Not sure what
diffoscope should do here. This is definitely a broken ZIP file. That bug
should probably be reported against libscout or whatever tooling it used to
create that JAR.
FWIW, it seems the libscout.jar files in both .deb files are identical apart
from timestamps and the ordering of entries in the ZIP.
- Fay
