Package: apt Version: 0.9.16.1 Severity: normal Hi!
Somewhat recently apt was fixed to add LFS for the ar containers, but the tarballs within are still not LFS-safe on 32-bit systems. Here's a list of issues I've spotted by code staring, I've not tested anything, and I should create LFS .deb tests for the tar members too in dpkg/pkg-tests.git. Types (should be off_t, long long or any other 64-bit-safe type): - ARArchive::Member::Start. - pkgDirStream::Size. - pkgDirStream::Process(), Size and Pos arguments. - ExtractTar::Go(), Size and Read variables, and cast truncation. The following I guess more out of correctness, as I don't expect to see > 4 GiB control files around: - debDebFile::MemControlExtract::Length. - debDebFile::MemControlExtract::Process(), Size and Pos arguments. - debDebFile::MemControlExtract::TakeControl(), Size argument. These are minor issues, and would be related to either bogus or malicious archives, but probably still good to handle: - ExtractTar::Go(), GNU_LongLink and GNU_LongName short Length which would truncate from Itm.Size. Thanks, Guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
