Your message dated Sat, 27 Jul 2019 16:35:57 +0000 with message-id <e1hrpfp-00074i...@fasolo.debian.org> and subject line Bug#932404: fixed in unzip 6.0-25 has caused the Debian Bug report #932404, regarding firefox-esr, FTBFS "possible zip bomb". to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---package: firefox-esr version: 60.8.0esr-1 severity: serious While trying to update firefox-esr in raspbian bullseye I ran into a "possible zip bomb" error. The failure also shows up on the reproducible builds site for i386 and arm64 so it's not raspbian specific.warning [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: 34207731 extra bytes at beginning or within zipfile (attempting to process anyway) error [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: reported length of central directory is -34207731 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: invalid zip file with overlapped components (possible zip bomb) make[2]: [debian/rules:309: stamps/install-browser] Error 12 (ignored) touch stamps/install-browser make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' debian/rules override_dh_install make[2]: Entering directory '/build/1st/firefox-esr-60.8.0esr' awk '{print "debian/tmp/" $1 }' < debian/noinstall | xargs rm -r rm: cannot remove 'debian/tmp/usr/lib/firefox-esr/browser/defaults/preferences/firefox-l10n.js': No such file or directory make[2]: *** [debian/rules:327: stamps/dh_install] Error 123 make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' make[1]: *** [debian/rules:353: install] Error 2 make[1]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' make: *** [debian/rules:353: binary] Error 2 dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
--- End Message ---
--- Begin Message ---Source: unzip Source-Version: 6.0-25 We believe that the bug you reported is fixed in the latest version of unzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Santiago Vila <sanv...@debian.org> (supplier of updated unzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 27 Jul 2019 18:01:36 +0200 Source: unzip Architecture: source Version: 6.0-25 Distribution: unstable Urgency: medium Maintainer: Santiago Vila <sanv...@debian.org> Changed-By: Santiago Vila <sanv...@debian.org> Closes: 932404 Changes: unzip (6.0-25) unstable; urgency=medium . * Apply one more patch by Mark Adler: - Do not raise a zip bomb alert for a misplaced central directory. This should allow Firefox to build again. Closes: #932404. Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now. Checksums-Sha1: c8fbc00e91740c6884bcb3df8d27d52e55a0d718 1344 unzip_6.0-25.dsc 9744036cf499e4917c1663192e984bce8b8bc537 23096 unzip_6.0-25.debian.tar.xz 42fa05f3e02c0b3853cf2c502401ad3bc53cd37e 4775 unzip_6.0-25_source.buildinfo Checksums-Sha256: ed68c01c7adf04f1599760975facac5a6164351baa2e5035a5239905f14108bb 1344 unzip_6.0-25.dsc 0783e4d11d755cb43904e3f59a60dbb92ee9c6b08ac54d86bc61f9848216f37b 23096 unzip_6.0-25.debian.tar.xz c57edb1fbf73bae53412a5899d4f9f01d23d3b143e5a2626507846f2f7159f95 4775 unzip_6.0-25_source.buildinfo Files: 57fd7b0cb9fcf089472c04a26082c854 1344 utils optional unzip_6.0-25.dsc c2f30c89ed6fbf2e6a16906fe24cacb9 23096 utils optional unzip_6.0-25.debian.tar.xz 598be231f6c01170ea59a1bc7679d3e7 4775 utils optional unzip_6.0-25_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAl08duEACgkQQc5/C58b izLJLwf/QmcLS/aXF1RJP1v1C+18P2SW3XvDrqQqi8xpo42spjtd459mNxn0s9qA YKcflfqpXCow6bPZI0Nk7iYQhUlITihzxFy7hyb/xpenrcpf+9DHSgcHK6di8TFu Bw23IkN2BzZj4K771He47c1aoUhrazyrVEkFu363c88JtXNjmmX6prod15YCvc8k P0YiZPZnTQB82QkVV2oOq+JrHxPQkW+qJbFa2Udg7rAfoIWzeG+pUx6HoAktsdxg ZdcIF3HWo0c5zuchejixecnQ0ayeLeRh4N/sJcyvK6Kt4lxE6UilQApA86TQo3zK PbGspER8STEgFzBaJqv7j87urN80Gw== =5hSs -----END PGP SIGNATURE-----
--- End Message ---
