Your message dated Mon, 12 Aug 2019 19:17:26 +0000 with message-id <e1hxfos-000eed...@fasolo.debian.org> and subject line Bug#932404: fixed in unzip 6.0-23+deb10u1 has caused the Debian Bug report #932404, regarding firefox-esr, FTBFS "possible zip bomb". to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932404 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---package: firefox-esr version: 60.8.0esr-1 severity: serious While trying to update firefox-esr in raspbian bullseye I ran into a "possible zip bomb" error. The failure also shows up on the reproducible builds site for i386 and arm64 so it's not raspbian specific.warning [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: 34207731 extra bytes at beginning or within zipfile (attempting to process anyway) error [debian/tmp/usr/lib/firefox-esr/browser/omni.ja]: reported length of central directory is -34207731 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating... error: invalid zip file with overlapped components (possible zip bomb) make[2]: [debian/rules:309: stamps/install-browser] Error 12 (ignored) touch stamps/install-browser make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' debian/rules override_dh_install make[2]: Entering directory '/build/1st/firefox-esr-60.8.0esr' awk '{print "debian/tmp/" $1 }' < debian/noinstall | xargs rm -r rm: cannot remove 'debian/tmp/usr/lib/firefox-esr/browser/defaults/preferences/firefox-l10n.js': No such file or directory make[2]: *** [debian/rules:327: stamps/dh_install] Error 123 make[2]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' make[1]: *** [debian/rules:353: install] Error 2 make[1]: Leaving directory '/build/1st/firefox-esr-60.8.0esr' make: *** [debian/rules:353: binary] Error 2 dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
--- End Message ---
--- Begin Message ---Source: unzip Source-Version: 6.0-23+deb10u1 We believe that the bug you reported is fixed in the latest version of unzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Santiago Vila <sanv...@debian.org> (supplier of updated unzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jul 2019 22:26:10 +0200 Source: unzip Architecture: source Version: 6.0-23+deb10u1 Distribution: buster Urgency: medium Maintainer: Santiago Vila <sanv...@debian.org> Changed-By: Santiago Vila <sanv...@debian.org> Closes: 931433 932404 Changes: unzip (6.0-23+deb10u1) buster; urgency=medium . * Apply three patches by Mark Adler to fix CVE-2019-13232. - Fix bug in undefer_input() that misplaced the input state. - Detect and reject a zip bomb using overlapped entries. Bug discovered by David Fifield. Closes: #931433. - Do not raise a zip bomb alert for a misplaced central directory. Reported by Peter Green. Closes: #932404. Checksums-Sha1: 1b64103d9363928aac0e9443f360888cfdc5d60a 1376 unzip_6.0-23+deb10u1.dsc abf7de8a4018a983590ed6f5cbd990d4740f8a22 1376845 unzip_6.0.orig.tar.gz ffe1aa5355911b77752307dfed4d552a44d7f98d 23012 unzip_6.0-23+deb10u1.debian.tar.xz 3adb8cb564ba981123ac73941cc4127f6542b5a4 4791 unzip_6.0-23+deb10u1_source.buildinfo Checksums-Sha256: 17c827fcb399d9e82bd08a7574838d95b10a335294edad6f604175dc1e7e8859 1376 unzip_6.0-23+deb10u1.dsc 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 1376845 unzip_6.0.orig.tar.gz f64e87c377aea1139e2d2d6cc0ea8edb089951d28089e1e5de567a6cb715d384 23012 unzip_6.0-23+deb10u1.debian.tar.xz 67bdc5d3984bb3fcd1e743e587cecfaa128ecf26e50e2d4b1a2c0efc8f1de92e 4791 unzip_6.0-23+deb10u1_source.buildinfo Files: a63736b55b81b9f734f9b4367b11e5ce 1376 utils optional unzip_6.0-23+deb10u1.dsc 62b490407489521db863b523a7f86375 1376845 utils optional unzip_6.0.orig.tar.gz 355a854f70f94222c880d7061067ef77 23012 utils optional unzip_6.0-23+deb10u1.debian.tar.xz cdbf29fa67decf08fa7fb33c168066b5 4791 utils optional unzip_6.0-23+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAl1AqHkACgkQQc5/C58b izIZ6Qf9Fl5OztWTK0+kwSnyjL+tQeC2EjMRgYUT3H3jO+fYkdvP4qNETgqQR+sp LFX00xx+vAMdGS6u1QnInljykjANG5dlvEoCylYeYTfvYb9YDZm/eq5bR2H3+O0F 362tmUGBrswW+os6ADxthbRIYSJVGET6Te4w0Ylbn8BDOJ1vfh7iLCZ5XuHih4eW U9jDmqvn5Cqr1dWm3Pu50JUVYP+mT3FU/4KUCqKL02D3lD5IYGwy3+xQJf2WZy71 ybRQ48XlKFHZK6cjQM4M3SCLM5SfwZoOOjBv/lO+9rLIs4vnA89c/Y+dlpwJJA62 cpeogD3jzmlTPLOHOn8kTvb1nVjsiQ== =c/LE -----END PGP SIGNATURE-----
--- End Message ---
