Santiago Vila wrote: > E zipfile.BadZipFile: Overlapped entries: 'dir/text' (possible zip bomb)
(FAO to help folks joining the thread: this was from a rebuild of stable, not of unstable. This bug does not affect unstable nor testing.) So, this is essentially the same issue as #1068705, which we believe was caused by a regression in CPython [0] which was, in turn, caused by an attempt to make the handling of .zip file safer [1]. We worked around this in diffoscope by catching the exception [2]. Then, we added a visible user note that we had done so [3]. I think we have four options: 1. Revert the security-related changes in CPython. 2. Write and apply a patch to CPython to fix the CPython regression. 3. Backport the two patches (or just the second [2]) to stable. 4. Do nothing and accept that diffoscope FTBFS in stable. (1) is pretty much a no-go, and then I don't think a patch to (2) will be forthcoming as I lack the confidence to safely write one. And (4) only works if we think that someone will effect (2) for us, will be backported by the CPython devs _and_ it will land in bookworm soon. A tall order. (3) is thus probably the best plan. The first (or both) of the linked changes [2][3] could straightforwardly and safely be backported to stable… if folks that it is justified. Let me know. Regards, — lamby [0] https://github.com/python/cpython/issues/117779 [1] https://github.com/python/cpython/pull/110016 [2] https://salsa.debian.org/reproducible-builds/diffoscope/commit/9c7e817c79f19e67e56d564b55b728a54a35423b [3] https://salsa.debian.org/reproducible-builds/diffoscope/-/merge_requests/140/diffs -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
