[arch-dev-public] [signoff] bzip2 1.0.5-1

dpmcgee at gmail.com dpmcgee at gmail.com
Mon Apr 14 19:59:35 EDT 2008 

On 4/14/08, Dan McGee <dpmcgee at gmail.com> wrote:
> On Mon, Apr 14, 2008 at 4:04 PM, Tom K <tom at archlinux.org> wrote:
> > Upstream vulnerability fix, our ref FS#10121, additional info here:
> > https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
> >  Also, man path amended.
> >
> >  In testing now for both arches.
>
> Looks good on i686.

Maybe I spoke too soon. The program itself works fine, but linking
against it is doing some really weird things. It seems that things are
getting statically included now or something? I'm not completely sure
what is going on, but my binaries for my pacman-git build went from
14K to 140K, and the strings output on the old vs. the new is showing
a lot of BZ2 crud, which I've attached below (I sorted it so
before/after would be as similar as possible).

-Dan

$ diff -u strings.old strings.new
--- strings.old	2008-04-14 18:57:02.000000000 -0500
+++ strings.new	2008-04-14 18:57:29.000000000 -0500
@@ -1,3 +1,29 @@
+        %d pointers, %d sorted, %d scanned
+        bucket sorting ...
+        depth %6d has
+        main sort initialise ...
+        qsort [0x%x, 0x%x]   done %d   this %d
+        reconstructing block ...
+      %d in block, %d after MTF & 1-2 coding, %d+2 syms in use
+      %d work, %d block, ratio %5.2f
+      bytes: mapping %d,
+      initial group %d, [%d .. %d], has %d syms (%4.1f%%)
+      pass %d: size is %d, grp uses are
+    [%d: huff+mtf
+    block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d
+    combined CRCs: stored = 0x%08x, computed = 0x%08x
+    final combined CRC = 0x%08x
+    too repetitive; using fallback sorting algorithm
+  (www.memtest86.com).  At the time of writing it is free (GPLd).
+  Memtest86 tests memory much more thorougly than your BIOSs
+  Try a memory-test program.  I have used Memtest86
+  bzip2, and I would very much like to hear about it.  Please
+  let me know, and, ideally, save a copy of the file causing the
+  points in compression, you may have a flaky memory system.
+  power-on test, and may find failures that the BIOS doesn't.
+  problem -- without which I will be unable to investigate it.
+ {0x%08x, 0x%08x}
+%6d unresolved strings
 %s conflicts with %s
 %s/%s/depends
 %s/%s/desc
@@ -6,18 +32,113 @@
 %s: dependency file is missing
 %s: description file is missing
 %s: file list is missing
+* If the error can be repeatably reproduced, this is a bug in
+* If the error cannot be reproduced, and/or happens at different
+*** A special note about internal error number 1007 ***
 /lib/ld-linux.so.2
 /var/lib/pacman/
+1.0.5, 10-Dec-2007
+1G<1
+;GT|
+<[^_]
+<[^_]
+BZ2_blockSort
+BZ2_bsInitWrite
+BZ2_bzBuffToBuffCompress
+BZ2_bzBuffToBuffDecompress
+BZ2_bzCompress
+BZ2_bzCompressEnd
+BZ2_bzCompressInit
+BZ2_bzDecompress
+BZ2_bzDecompressEnd
+BZ2_bzDecompressInit
+BZ2_bzRead
+BZ2_bzReadClose
+BZ2_bzReadGetUnused
+BZ2_bzReadOpen
+BZ2_bzWrite
+BZ2_bzWriteClose
+BZ2_bzWriteClose64
+BZ2_bzWriteOpen
+BZ2_bz__AssertH__fail
+BZ2_bzclose
+BZ2_bzdopen
+BZ2_bzerror
+BZ2_bzflush
+BZ2_bzlibVersion
+BZ2_bzopen
+BZ2_bzread
+BZ2_bzwrite
+BZ2_compressBlock
+BZ2_crc32Table
+BZ2_decompress
+BZ2_hbAssignCodes
+BZ2_hbCreateDecodeTables
+BZ2_hbMakeCodeLengths
+BZ2_indexIntoF
+BZ2_rNums
+CONFIG_ERROR
+DATA_ERROR
+DATA_ERROR_MAGIC
+Experience suggests that a common cause of i.e. 1007
+FD;FH
+FP;FL
+FP;FL
+FP;FL|
+G 9E
+G 9E
+G 9E
+G,u?
+G8u$
+G8u$
+G8u'
+G8u'
+G8u'
+G8u'
+G<u'
 GLIBC_2.0
+GLIBC_2.1
+GLIBC_2.3
+I suggest the following: try compressing the file again,
+IO_ERROR
 LIBSSP_1.0
-PTRh`
-QVh0
+MEM_ERROR
+ND;NH
+NP;NL
+O8iE
+O8iE
+O8iE
+OUTBUFF_FULL
+PARAM_ERROR
+PTRh m
+Please report it to me at: jseward at bzip.org.  If this happened
+QVh`
+SEQUENCE_ERROR
+This is a bug in bzip2/libbzip2, %s.
+UNEXPECTED_EOF
+US]CQ
+VUUU
+VUUU
+W8iE
+W8iE
+W8iE
 WVSQ
 Y[^_]
 [^_]
+[^_]
+[^_]
+[^_]
+[^_]
+[^_]
+[^_]
+[^_]
+[^_]
+[^_]
+^(BM
 _IO_stdin_used
 _Jv_RegisterClasses
 __bss_start
+__ctype_b_loc
 __errno_location
 __gmon_start__
 __libc_start_main
@@ -43,31 +164,60 @@
 alpm_option_set_logcb
 alpm_release
 alpm_strerrorlast
+bzip2/libbzip2: internal error number %d.
 cannot initialize alpm: %s
+code lengths %d,
+codes %d
+component, you should also report this bug to the author(s)
 error : %s : %s
 error releasing alpm: %s
 error:
 error: could not register 'local' database (%s)
 exit
+fclose
+fdopen
+ferror
+fflush
+fgetc
+fopen64
+fputc
+fread
 free
+fwrite
+is unreliable memory or other hardware.  The 1007 assertion
+just happens to cross-check the results of huge numbers of
+kZ;&
 libacl.so.1
 libalpm.so.2
 libarchive.so.2
 libattr.so.1
-libbz2.so.1.0
 libc.so.6
 libdownload.so
 libssp.so.0
 libz.so.1
+malloc
+memory reads/writes, and so acts (unintendedly) as a stress
 missing dependency for %s : %s
+of that program.  Please make an effort to report this bug;
 opendir
+possibly monitoring progress in detail with the -vv flag.
+quality software.  Thanks.  Julian Seward, 10 December 2007.
 readdir
+rt+rld
+selectors %d,
 snprintf
 stderr
+stdin
 stdout
+strcat
 strcmp
 strerror
+strlen
+test of your memory system.
 testdb
+timely and accurate bug reports eventually lead to higher
+ungetc
 usage: %s -b <pacman db>
 vfprintf
 warning:
+when you were using some program which uses libbzip2 as a

More information about the arch-dev-public mailing list