[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Issue of using "dpkg" for newer ".deb" files
From:       Ken CJ Chou <kenchou0731 () gmail ! com>
Date:       2019-09-29 4:37:37
Message-ID: CAGLgBvnrrrBydZ9L+OZeFL9aT2MEdSM+ccNAxKLhUdVAL8PY5Q () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello,

I'm using the latest version of busybox (1.31.0).
I found an issue when using "dpkg" and "dpkg-deb" in busybox.
When I performed some task to get the control info of a ".deb" file.
The output showed a "dpkg-deb: corrupted data" message.

e.g.
```
# dpkg-deb -f <some_deb_file>
Package: <some_package>
...
dpkg-deb: corrupted data
```

I looked into the source code.
In file "archival/libarchive/decompress_unxz.c" line 97, here busybox tried
to decompress another xz stream when it found that the input stream isn't
ended.

So the issue happens on newer Debian package files.
Newer Debian package files format is an "ar" archive of 3 files including
"debian-binary", "control.tar.xz", "data.tar.xz" in orders.
When performing tasks on the Debian package file, the archive handler open
the ".deb" file as the input stream.
When busybox complete reading the section of "control.tar.xz", it
automatically tried to decompress another xz stream because there is still
the section of "data.tar.xz" in the input stream.
In this situation, busybox will read the label of "ar" archive for
"data.tar.xz" section. Then it fails at checking xz's header magic. And
finally a "corrupted data" error message is printed.

---

The issue can be easily reproduced by any Debian package file in Debian 10.
For example, "busybox_1.30.1-4_amd64.deb".

In my case, I can just applied a patch to disable the decompression of
another xz stream.
Because I don't think I need such a feature for my "xz" utility.

But I still wondered if there is a better solution of this issue.
If you have any suggestion, please let me know.
Thank you very much.

Ken

[Attachment #5 (text/html)]

<div dir="auto"><div dir="auto"><br></div><div dir="auto">Hello,</div><div \
dir="auto"><br></div><div dir="auto">I&#39;m using the latest version of busybox \
(1.31.0).</div><div dir="auto">I found an issue when using &quot;dpkg&quot; and \
&quot;dpkg-deb&quot; in busybox.</div><div dir="auto">When I performed some task to \
get the control info of a &quot;.deb&quot; file.</div><div dir="auto">The output \
showed a &quot;dpkg-deb: corrupted data&quot; message.</div><div \
dir="auto"><br></div><div dir="auto">e.g.</div><div dir="auto">```</div><div \
dir="auto"># dpkg-deb -f &lt;some_deb_file&gt;</div><div dir="auto">Package: \
&lt;some_package&gt;</div><div dir="auto">...</div><div dir="auto">dpkg-deb: \
corrupted data</div><div dir="auto">```</div><div dir="auto"><br></div><div \
dir="auto">I looked into the source code.</div><div dir="auto">In file \
&quot;archival/libarchive/decompress_unxz.c&quot; line 97, here busybox tried to \
decompress another xz stream when it found that the input stream isn&#39;t \
ended.</div><div dir="auto"><br></div><div dir="auto">So the issue happens on newer \
Debian package files.</div><div dir="auto">Newer Debian package files format is an \
&quot;ar&quot; archive of 3 files including &quot;debian-binary&quot;, \
&quot;control.tar.xz&quot;, &quot;data.tar.xz&quot; in orders.</div><div \
dir="auto">When performing tasks on the Debian package file, the archive handler open \
the &quot;.deb&quot; file as the input stream.</div><div dir="auto">When busybox \
complete reading the section of &quot;control.tar.xz&quot;, it automatically tried to \
decompress another xz stream because there is still the section of \
&quot;data.tar.xz&quot; in the input stream.</div><div dir="auto">In this situation, \
busybox will read the label of &quot;ar&quot; archive for &quot;data.tar.xz&quot; \
section. Then it fails at checking xz&#39;s header magic. And finally a \
&quot;corrupted data&quot; error message is printed.</div><div \
dir="auto"><br></div><div dir="auto">---</div><div dir="auto"><br></div><div \
dir="auto">The issue can be easily reproduced by any Debian package file in Debian \
10. For example, &quot;busybox_1.30.1-4_amd64.deb&quot;.</div><div \
dir="auto"><br></div><div dir="auto">In my case, I can just applied a patch to \
disable the decompression of another xz stream.</div><div dir="auto">Because I \
don&#39;t think I need such a feature for my &quot;xz&quot; utility.</div><div \
dir="auto"><br></div><div dir="auto">But I still wondered if there is a better \
solution of this issue.</div><div dir="auto">If you have any suggestion, please let \
me know.</div><div dir="auto">Thank you very much.</div><div \
dir="auto"><br></div><div dir="auto">Ken</div></div>



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic