Your message dated Fri, 16 Aug 2019 21:21:46 +0000 with message-id <e1hyjfo-000fcq...@fasolo.debian.org> and subject line Bug#932404: fixed in unzip 6.0-21+deb9u2 has caused the Debian Bug report #932404, regarding firefox-esr, FTBFS "possible zip bomb". to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---package: firefox-esr version: 60.8.0esr-1 severity: serious While trying to update firefox-esr in raspbian bullseye I ran into a "possible zip bomb" error. The failure also shows up on the reproducible builds site for i386 and arm64 so it's not raspbian specific.warning [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: 34207731 extra bytes at beginning or within zipfile (attempting to process anyway) error [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: reported length of central directory is -34207731 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: invalid zip file with overlapped components (possible zip bomb) make[2]: [debian/rules:309: stamps/install-browser] Error 12 (ignored) touch stamps/install-browser make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' debian/rules override_dh_install make[2]: Entering directory '/build/1st/firefox-esr-60.8.0esr' awk '{print "debian/tmp/" $1 }' < debian/noinstall | xargs rm -r rm: cannot remove 'debian/tmp/usr/lib/firefox-esr/browser/defaults/preferences/firefox-l10n.js': No such file or directory make[2]: *** [debian/rules:327: stamps/dh_install] Error 123 make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' make[1]: *** [debian/rules:353: install] Error 2 make[1]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' make: *** [debian/rules:353: binary] Error 2 dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
--- End Message ---
--- Begin Message ---Source: unzip Source-Version: 6.0-21+deb9u2 We believe that the bug you reported is fixed in the latest version of unzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Santiago Vila <sanv...@debian.org> (supplier of updated unzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 05 Aug 2019 18:10:06 +0200 Source: unzip Binary: unzip Architecture: source Version: 6.0-21+deb9u2 Distribution: stretch Urgency: medium Maintainer: Santiago Vila <sanv...@debian.org> Changed-By: Santiago Vila <sanv...@debian.org> Description: unzip - De-archiver for .zip files Closes: 929502 931433 932404 Changes: unzip (6.0-21+deb9u2) stretch; urgency=medium . * Fix incorrect parsing of 64-bit values in fileio.c. Closes: #929502. * Apply three patches by Mark Adler to fix CVE-2019-13232. - Fix bug in undefer_input() that misplaced the input state. - Detect and reject a zip bomb using overlapped entries. Bug discovered by David Fifield. Closes: #931433. - Do not raise a zip bomb alert for a misplaced central directory. Reported by Peter Green. Closes: #932404. Checksums-Sha1: 250feac3fe611302fcb96c0b597a4b00874dfb91 1372 unzip_6.0-21+deb9u2.dsc 3cd642a92527b7503b960b07c0fa72467adae25c 22984 unzip_6.0-21+deb9u2.debian.tar.xz 236ec5f85f1063feaf9ea242d5dcf0feea5659dc 5309 unzip_6.0-21+deb9u2_source.buildinfo Checksums-Sha256: 9894c31ba2999c72e81593ba0ecb6ee621c2992071427fc790981df6d9f56605 1372 unzip_6.0-21+deb9u2.dsc 8caf2e849fc90bdb22e9c338c64800c98c7179345cbce47d65c8dda4efc8942b 22984 unzip_6.0-21+deb9u2.debian.tar.xz 9a05f15a813eefc87be2b5002777551b57511007b65307ead9155a1897b42619 5309 unzip_6.0-21+deb9u2_source.buildinfo Files: 85ac33f5f6c20ab93087eaea1a1787c5 1372 utils optional unzip_6.0-21+deb9u2.dsc 8844ec147d2e26983e966961e50e2f7f 22984 utils optional unzip_6.0-21+deb9u2.debian.tar.xz 558d0b1400a21f96139d5ce5b87c6020 5309 utils optional unzip_6.0-21+deb9u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEyBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAl1IVP8ACgkQQc5/C58b izLGrQf3fkOC0w3univaDj6fKanzOWplI9OC4YuJjE9JYCEa8n3sv4I4o0LYMlQj brwzXe6g0EceMZDVTvRJL8qhlmBqBM1l0kCt0TsuxPedpsVi7Dy0VVcdUNfcXjDh fwlsgcHbCBhj1J18elBNaUihcuCf12Rv0+7WD8oAVqiqvf24P8PSM1sl7jLvGwZ6 ZAzxvHk/TRwJ/OH9hbDP0x1xBoUTiQo0381axiya4HFfyDrL+nhk9ynVDa9WAC4v LSArLoS0AjfN5jMD+ZG+5Vj9H/HjiwTezqZe1wWm40QvGG3UJoTDDx9a+nNJNIH2 Hqt69EqsNCrGDzz79gOKtwjmo4Pf =nCYL -----END PGP SIGNATURE-----
--- End Message ---
