package: firefox-esr
version: 60.8.0esr-1
severity: serious
While trying to update firefox-esr in raspbian bullseye I ran into a "possible zip
bomb" error. The failure also shows up on the reproducible builds site for i386 and
arm64 so it's not raspbian specific.
warning [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: 34207731 extra bytes
at beginning or within zipfile
(attempting to process anyway)
error [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: reported length of
central directory is
-34207731 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
error: invalid zip file with overlapped components (possible zip bomb)
make[2]: [debian/rules:309: stamps/install-browser] Error 12 (ignored)
touch stamps/install-browser
make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr'
debian/rules override_dh_install
make[2]: Entering directory '/build/1st/firefox-esr-60.8.0esr'
awk '{print "debian/tmp/" $1 }' < debian/noinstall | xargs rm -r
rm: cannot remove
'debian/tmp/usr/lib/firefox-esr/browser/defaults/preferences/firefox-l10n.js':
No such file or directory
make[2]: *** [debian/rules:327: stamps/dh_install] Error 123
make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr'
make[1]: *** [debian/rules:353: install] Error 2
make[1]: Leaving directory '/build/1st/firefox-esr-60.8.0esr'
make: *** [debian/rules:353: binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit
status 2
