Bernhard R. Link:
> * Ximin Luo <[email protected]> [191223 12:58]:
>> dpkg and all other debian tools support it right now. It is only reprepro 
>> with this artifical constraint, which makes it not work for packages that 
>> are processable by dpkg and other debian tools.
> 
> If it is artifical, then it is artifically high. It is 128 times more than
> what almost every single package needs and more than five times what the most
> absurd package before needed and twice what other tools are said to have
> had as limit there. I will increase it in reprepro (and maybe might make it
> configurable to some extent), but there will always be an upper limit.
> 

OK, as long as it doesn't stop people from pulling in the normal Debian archive.

The package in question had another RC bug filed against it (uninstallable 
B-D); in the process of updating it, the Provides entry is now again 277988 
bytes big.

Therefore I've source-only uploaded an NMU of reprepro to DELAYED/5 with the 
limit set to 4MB. It builds fine, so anyone who needs it urgently can apply the 
debdiff attached themselves.

>> Are you suggesting that dpkg and other tools have a concrete security 
>> problem?
> 
> dpkg does not check checksums of index files, so it is likely
> uneffected. If apt has no limit then that likely makes some attacks
> needlessly easy (though it might have other mitigations in that regard,
> and there are less things apt has to care about the way it is typically
> used).
> Accepting absurd input without confirmation is never a secure way to handle
> things, though.
> 

I don't see any similar limits on the size of .deb files (or lists files, or 
whatever), so the limit on the Provides: field *inside* a .deb file seems 
out-of-place. Also "dput" into a reprepro repository with this size of a 
Provides file works totally fine, it seems the limit is only hit when pulling 
from another mirror.

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git
diff -Nru reprepro-5.3.0/debian/changelog reprepro-5.3.0/debian/changelog
--- reprepro-5.3.0/debian/changelog	2019-02-02 22:20:17.000000000 +0000
+++ reprepro-5.3.0/debian/changelog	2020-01-17 02:03:27.000000000 +0000
@@ -1,3 +1,11 @@
+reprepro (5.3.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Bump up the maxsize on a fixed-size C buffer to avoid breaking on some
+    autogenerated rust packages. (Closes: #942487)
+
+ -- Ximin Luo <[email protected]>  Fri, 17 Jan 2020 02:03:27 +0000
+
 reprepro (5.3.0-1) unstable; urgency=medium
 
   * new release
diff -Nru reprepro-5.3.0/debian/patches/bump-buffer-size reprepro-5.3.0/debian/patches/bump-buffer-size
--- reprepro-5.3.0/debian/patches/bump-buffer-size	1970-01-01 01:00:00.000000000 +0100
+++ reprepro-5.3.0/debian/patches/bump-buffer-size	2020-01-17 01:58:23.000000000 +0000
@@ -0,0 +1,15 @@
+Description: Bump up the maxsize on a fixed-size C buffer to avoid breaking on some autogenerated rust packages. (Closes: #942487)
+Author: Ximin Luo <[email protected]>
+Bug-Debian: https://bugs.debian.org/942487
+
+--- reprepro-5.3.0.orig/indexfile.c
++++ reprepro-5.3.0/indexfile.c
+@@ -63,7 +63,7 @@ retvalue indexfile_open(struct indexfile
+ 	f->linenumber = 0;
+ 	f->startlinenumber = 0;
+ 	f->status = RET_OK;
+-	f->size = 256*1024;
++	f->size = 4*1024*1024;
+ 	f->ofs = 0;
+ 	f->content = 0;
+ 	/* +1 for *d = '\0' in eof case */
diff -Nru reprepro-5.3.0/debian/patches/series reprepro-5.3.0/debian/patches/series
--- reprepro-5.3.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ reprepro-5.3.0/debian/patches/series	2020-01-17 01:57:30.000000000 +0000
@@ -0,0 +1 @@
+bump-buffer-size

Reply via email to