Bernhard R. Link: > * Ximin Luo <[email protected]> [191223 12:58]: >> dpkg and all other debian tools support it right now. It is only reprepro >> with this artifical constraint, which makes it not work for packages that >> are processable by dpkg and other debian tools. > > If it is artifical, then it is artifically high. It is 128 times more than > what almost every single package needs and more than five times what the most > absurd package before needed and twice what other tools are said to have > had as limit there. I will increase it in reprepro (and maybe might make it > configurable to some extent), but there will always be an upper limit. >
OK, as long as it doesn't stop people from pulling in the normal Debian archive. The package in question had another RC bug filed against it (uninstallable B-D); in the process of updating it, the Provides entry is now again 277988 bytes big. Therefore I've source-only uploaded an NMU of reprepro to DELAYED/5 with the limit set to 4MB. It builds fine, so anyone who needs it urgently can apply the debdiff attached themselves. >> Are you suggesting that dpkg and other tools have a concrete security >> problem? > > dpkg does not check checksums of index files, so it is likely > uneffected. If apt has no limit then that likely makes some attacks > needlessly easy (though it might have other mitigations in that regard, > and there are less things apt has to care about the way it is typically > used). > Accepting absurd input without confirmation is never a secure way to handle > things, though. > I don't see any similar limits on the size of .deb files (or lists files, or whatever), so the limit on the Provides: field *inside* a .deb file seems out-of-place. Also "dput" into a reprepro repository with this size of a Provides file works totally fine, it seems the limit is only hit when pulling from another mirror. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
diff -Nru reprepro-5.3.0/debian/changelog reprepro-5.3.0/debian/changelog --- reprepro-5.3.0/debian/changelog 2019-02-02 22:20:17.000000000 +0000 +++ reprepro-5.3.0/debian/changelog 2020-01-17 02:03:27.000000000 +0000 @@ -1,3 +1,11 @@ +reprepro (5.3.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Bump up the maxsize on a fixed-size C buffer to avoid breaking on some + autogenerated rust packages. (Closes: #942487) + + -- Ximin Luo <[email protected]> Fri, 17 Jan 2020 02:03:27 +0000 + reprepro (5.3.0-1) unstable; urgency=medium * new release diff -Nru reprepro-5.3.0/debian/patches/bump-buffer-size reprepro-5.3.0/debian/patches/bump-buffer-size --- reprepro-5.3.0/debian/patches/bump-buffer-size 1970-01-01 01:00:00.000000000 +0100 +++ reprepro-5.3.0/debian/patches/bump-buffer-size 2020-01-17 01:58:23.000000000 +0000 @@ -0,0 +1,15 @@ +Description: Bump up the maxsize on a fixed-size C buffer to avoid breaking on some autogenerated rust packages. (Closes: #942487) +Author: Ximin Luo <[email protected]> +Bug-Debian: https://bugs.debian.org/942487 + +--- reprepro-5.3.0.orig/indexfile.c ++++ reprepro-5.3.0/indexfile.c +@@ -63,7 +63,7 @@ retvalue indexfile_open(struct indexfile + f->linenumber = 0; + f->startlinenumber = 0; + f->status = RET_OK; +- f->size = 256*1024; ++ f->size = 4*1024*1024; + f->ofs = 0; + f->content = 0; + /* +1 for *d = '\0' in eof case */ diff -Nru reprepro-5.3.0/debian/patches/series reprepro-5.3.0/debian/patches/series --- reprepro-5.3.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ reprepro-5.3.0/debian/patches/series 2020-01-17 01:57:30.000000000 +0000 @@ -0,0 +1 @@ +bump-buffer-size

