On 4/14/08, Dan McGee <dpmcgee@gmail.com> wrote:
On Mon, Apr 14, 2008 at 4:04 PM, Tom K <tom@archlinux.org> wrote:
Upstream vulnerability fix, our ref FS#10121, additional info here: https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html Also, man path amended.
In testing now for both arches.
Looks good on i686.
Maybe I spoke too soon. The program itself works fine, but linking against it is doing some really weird things. It seems that things are getting statically included now or something? I'm not completely sure what is going on, but my binaries for my pacman-git build went from 14K to 140K, and the strings output on the old vs. the new is showing a lot of BZ2 crud, which I've attached below (I sorted it so before/after would be as similar as possible). -Dan $ diff -u strings.old strings.new --- strings.old 2008-04-14 18:57:02.000000000 -0500 +++ strings.new 2008-04-14 18:57:29.000000000 -0500 @@ -1,3 +1,29 @@ + %d pointers, %d sorted, %d scanned + bucket sorting ... + depth %6d has + main sort initialise ... + qsort [0x%x, 0x%x] done %d this %d + reconstructing block ... + %d in block, %d after MTF & 1-2 coding, %d+2 syms in use + %d work, %d block, ratio %5.2f + bytes: mapping %d, + initial group %d, [%d .. %d], has %d syms (%4.1f%%) + pass %d: size is %d, grp uses are + [%d: huff+mtf + block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d + combined CRCs: stored = 0x%08x, computed = 0x%08x + final combined CRC = 0x%08x + too repetitive; using fallback sorting algorithm + (www.memtest86.com). At the time of writing it is free (GPLd). + Memtest86 tests memory much more thorougly than your BIOSs + Try a memory-test program. I have used Memtest86 + bzip2, and I would very much like to hear about it. Please + let me know, and, ideally, save a copy of the file causing the + points in compression, you may have a flaky memory system. + power-on test, and may find failures that the BIOS doesn't. + problem -- without which I will be unable to investigate it. + {0x%08x, 0x%08x} +%6d unresolved strings %s conflicts with %s %s/%s/depends %s/%s/desc @@ -6,18 +32,113 @@ %s: dependency file is missing %s: description file is missing %s: file list is missing +* If the error can be repeatably reproduced, this is a bug in +* If the error cannot be reproduced, and/or happens at different +*** A special note about internal error number 1007 *** /lib/ld-linux.so.2 /var/lib/pacman/ +1.0.5, 10-Dec-2007 +1G<1 +;GT| +<[^_] +<[^_] +BZ2_blockSort +BZ2_bsInitWrite +BZ2_bzBuffToBuffCompress +BZ2_bzBuffToBuffDecompress +BZ2_bzCompress +BZ2_bzCompressEnd +BZ2_bzCompressInit +BZ2_bzDecompress +BZ2_bzDecompressEnd +BZ2_bzDecompressInit +BZ2_bzRead +BZ2_bzReadClose +BZ2_bzReadGetUnused +BZ2_bzReadOpen +BZ2_bzWrite +BZ2_bzWriteClose +BZ2_bzWriteClose64 +BZ2_bzWriteOpen +BZ2_bz__AssertH__fail +BZ2_bzclose +BZ2_bzdopen +BZ2_bzerror +BZ2_bzflush +BZ2_bzlibVersion +BZ2_bzopen +BZ2_bzread +BZ2_bzwrite +BZ2_compressBlock +BZ2_crc32Table +BZ2_decompress +BZ2_hbAssignCodes +BZ2_hbCreateDecodeTables +BZ2_hbMakeCodeLengths +BZ2_indexIntoF +BZ2_rNums +CONFIG_ERROR +DATA_ERROR +DATA_ERROR_MAGIC +Experience suggests that a common cause of i.e. 1007 +FD;FH +FP;FL +FP;FL +FP;FL| +G 9E +G 9E +G 9E +G,u? +G8u$ +G8u$ +G8u' +G8u' +G8u' +G8u' +G<u' GLIBC_2.0 +GLIBC_2.1 +GLIBC_2.3 +I suggest the following: try compressing the file again, +IO_ERROR LIBSSP_1.0 -PTRh` -QVh0 +MEM_ERROR +ND;NH +NP;NL +O8iE +O8iE +O8iE +OUTBUFF_FULL +PARAM_ERROR +PTRh m +Please report it to me at: jseward@bzip.org. If this happened +QVh` +SEQUENCE_ERROR +This is a bug in bzip2/libbzip2, %s. +UNEXPECTED_EOF +US]CQ +VUUU +VUUU +W8iE +W8iE +W8iE WVSQ Y[^_] [^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +[^_] +^(BM _IO_stdin_used _Jv_RegisterClasses __bss_start +__ctype_b_loc __errno_location __gmon_start__ __libc_start_main @@ -43,31 +164,60 @@ alpm_option_set_logcb alpm_release alpm_strerrorlast +bzip2/libbzip2: internal error number %d. cannot initialize alpm: %s +code lengths %d, +codes %d +component, you should also report this bug to the author(s) error : %s : %s error releasing alpm: %s error: error: could not register 'local' database (%s) exit +fclose +fdopen +ferror +fflush +fgetc +fopen64 +fputc +fread free +fwrite +is unreliable memory or other hardware. The 1007 assertion +just happens to cross-check the results of huge numbers of +kZ;& libacl.so.1 libalpm.so.2 libarchive.so.2 libattr.so.1 -libbz2.so.1.0 libc.so.6 libdownload.so libssp.so.0 libz.so.1 +malloc +memory reads/writes, and so acts (unintendedly) as a stress missing dependency for %s : %s +of that program. Please make an effort to report this bug; opendir +possibly monitoring progress in detail with the -vv flag. +quality software. Thanks. Julian Seward, 10 December 2007. readdir +rt+rld +selectors %d, snprintf stderr +stdin stdout +strcat strcmp strerror +strlen +test of your memory system. testdb +timely and accurate bug reports eventually lead to higher +ungetc usage: %s -b <pacman db> vfprintf warning: +when you were using some program which uses libbzip2 as a