reassign -1 unzip
found -1 6.0-24
notfound -1 6.0-23
This is a false positive from the changes in unzip 6.0-24.
On Thu, Jul 18, 2019 at 09:04:24PM +0100, peter green wrote:
> package: firefox-esr
> version: 60.8.0esr-1
> severity: serious
>
> While trying to update firefox-esr in raspbian bullseye I ran into a
> "possible zip bomb" error. The failure also shows up on the reproducible
> builds site for i386 and arm64 so it's not raspbian specific.
>
> > warning [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: 34207731 extra
> > bytes at beginning or within zipfile
> > (attempting to process anyway)
> > error [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: reported length of
> > central directory is
> > -34207731 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
> > zipfile?). Compensating...
> > error: invalid zip file with overlapped components (possible zip bomb)
> > make[2]: [debian/rules:309: stamps/install-browser] Error 12 (ignored)
> > touch stamps/install-browser
> > make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr'
> > debian/rules override_dh_install
> > make[2]: Entering directory '/build/1st/firefox-esr-60.8.0esr'
> > awk '{print "debian/tmp/" $1 }' < debian/noinstall | xargs rm -r
> > rm: cannot remove
> > 'debian/tmp/usr/lib/firefox-esr/browser/defaults/preferences/firefox-l10n.js':
> > No such file or directory
> > make[2]: *** [debian/rules:327: stamps/dh_install] Error 123
> > make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr'
> > make[1]: *** [debian/rules:353: install] Error 2
> > make[1]: Leaving directory '/build/1st/firefox-esr-60.8.0esr'
> > make: *** [debian/rules:353: binary] Error 2
> > dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned
> > exit status 2
>
