[Git][reproducible-builds/strip-nondeterminism][debian] 7 commits: Catch an edge-case where we can't even parse the provided length of an invalid...

Chris Lamb gitlab at salsa.debian.org
Sun Apr 28 18:31:24 CEST 2019 


Chris Lamb pushed to branch debian at Reproducible Builds / strip-nondeterminism


Commits:
783d44e3 by Chris Lamb at 2019-04-28T09:17:11Z
Catch an edge-case where we can't even parse the provided length of an invalid field within zip files.

- - - - -
b164403e by Chris Lamb at 2019-04-28T09:20:12Z
Check the return status from Archive::Zip when writing file to disk.

- - - - -
f40f5550 by Chris Lamb at 2019-04-28T09:54:40Z
Workaround Archive::Zip's incorrect handling of the localExtraField field by monkey-patching the accessor methods to always return normalised values. This fixes the normalisation of Unix ownership (uid/gid) within .zip archives, .epub files, etc. (Closes: #858431, reproducible-builds/strip-nondeterminism#4)

- - - - -
e6b1d81b by Chris Lamb at 2019-04-28T16:25:51Z
Release version 1.1.3

- - - - -
48be1d06 by Chris Lamb at 2019-04-28T16:26:07Z
Merge tag '1.1.3' into debian

Release version 1.1.3

* tag '1.1.3':
  Release version 1.1.3
  Workaround Archive::Zip's incorrect handling of the localExtraField field by monkey-patching the accessor methods to always return normalised values. This fixes the normalisation of Unix ownership (uid/gid) within .zip archives, .epub files, etc. (Closes: #858431, reproducible-builds/strip-nondeterminism#4)
  Check the return status from Archive::Zip when writing file to disk.
  Catch an edge-case where we can't even parse the provided length of an invalid field within zip files.

- - - - -
85255a1a by Chris Lamb at 2019-04-28T16:30:19Z
Add libmonkey-patch-perl as a binary / build dependency.

- - - - -
6b532938 by Chris Lamb at 2019-04-28T16:30:33Z
Update changelog for 1.1.3-1 release

- - - - -


5 changed files:

- Makefile.PL
- debian/changelog
- debian/control
- lib/File/StripNondeterminism.pm
- lib/File/StripNondeterminism/handlers/zip.pm


Changes:

=====================================
Makefile.PL
=====================================
@@ -17,6 +17,7 @@ WriteMakefile(
 		'Archive::Cpio'	=> 0, # required to pass tests
 		'Archive::Zip'	=> 0,
 		'Getopt::Long'	=> 0,
+		'Monkey::Patch'	=> 0,
 	},
 	LICENSE		=> "gpl",
 	dist		=> { COMPRESS => 'gzip -9nf', SUFFIX => 'gz', },


=====================================
debian/changelog
=====================================
@@ -1,3 +1,16 @@
+strip-nondeterminism (1.1.3-1) experimental; urgency=medium
+
+  * Workaround Archive::Zip's incorrect handling of the localExtraField field
+    by monkey-patching the accessor methods to always return normalised values.
+    This fixes the normalisation of Unix ownership (uid/gid) within .zip
+    archives, .epub files, etc.
+    (Closes: #858431, reproducible-builds/strip-nondeterminism#4)
+  * Check the return status from Archive::Zip when writing file to disk.
+  * Catch an edgecase where/if we can't parse the provided length of an
+    invalid field within .zip files.
+
+ -- Chris Lamb <lamby at debian.org>  Sun, 28 Apr 2019 17:30:27 +0100
+
 strip-nondeterminism (1.1.2-1) unstable; urgency=medium
 
   * Call file(1) with the "--" argument placeholder to fix normalisation of


=====================================
debian/control
=====================================
@@ -8,6 +8,7 @@ Build-Depends-Indep:
  libarchive-cpio-perl <!nocheck>,
  libarchive-zip-perl,
  libdevel-cover-perl,
+ libmonkey-patch-perl,
  perl,
 Maintainer: Reproducible builds folks <reproducible-builds at lists.alioth.debian.org>
 Uploaders:
@@ -26,6 +27,7 @@ Section: perl
 Architecture: all
 Depends:
  libarchive-zip-perl,
+ libmonkey-patch-perl,
  ${misc:Depends},
  ${perl:Depends},
 Recommends:


=====================================
lib/File/StripNondeterminism.pm
=====================================
@@ -25,7 +25,7 @@ use POSIX qw(tzset);
 
 our($VERSION, $canonical_time, $clamp_time);
 
-$VERSION = '1.1.2'; # <https://semver.org/>
+$VERSION = '1.1.3'; # <https://semver.org/>
 
 sub init() {
 	$ENV{'TZ'} = 'UTC';


=====================================
lib/File/StripNondeterminism/handlers/zip.pm
=====================================
@@ -24,6 +24,7 @@ use warnings;
 use File::Temp;
 use File::StripNondeterminism;
 use Archive::Zip qw/:CONSTANTS :ERROR_CODES/;
+use Monkey::Patch qw/patch_class/;
 
 # A magic number from Archive::Zip for the earliest timestamp that
 # can be represented by a Zip file.  From the Archive::Zip source:
@@ -145,6 +146,10 @@ sub normalize_extra_fields($$) {
 		} else {
 			# Catch invalid field lengths by calculating whether we would
 			# read beyond the end of the file.
+			if (!defined($len)) {
+				warn "strip-nondeterminism: unknown extra field length";
+				return;
+			}
 			if ($pos + $len >= length($field)) {
 				warn "strip-nondeterminism: invalid extra field length ($len)";
 				return;
@@ -213,14 +218,34 @@ sub normalize {
 				? oct(755)
 				: oct(644));
 		}
-		foreach my $x (qw(cdExtraField localExtraField)) {
-			my $result = normalize_extra_fields($canonical_time, $member->$x);
-			return 0 unless defined $result;
-			$member->$x($result);
-		}
 	}
 	my $old_perms = (stat($zip_filename))[2] & oct(7777);
-	$zip->overwrite();
+
+	# Archive::Zip::Member does not handle the localExtraField field (used for
+	# uid/gids) correctly or consistently.
+	#
+	# It does not populate localExtraField in the class upon initial reading of
+	# the file whilst it does for cdExtraField. One can workaround this
+	# manually with calls to _seekToLocalHeader and _readLocalFileHeader but
+	# upon writing to a file back to the disk Archive::Zip will ignore any
+	# stored value of localExtraField (!) and reload it again from the existing
+	# file handle in/around rewindData.
+	#
+	# We therefore monkey-patch the accessor methods of the Member class to
+	# ensure that normalised values are used in this final save.
+	#
+	# <https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issues/4>
+	my @patches = map {
+		patch_class('Archive::Zip::Member', $_, sub {
+			my $fn = shift;
+			my $result = $fn->(@_);
+			return defined($result) ?
+				normalize_extra_fields($canonical_time, $result) : $result;
+		});
+	} qw(cdExtraField localExtraField);
+
+	return 0 unless $zip->overwrite() == AZ_OK;
+	undef @patches; # Remove our monkey patches
 	chmod($old_perms, $zip_filename);
 	return 1;
 }



View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/compare/b9f7ff12933e6bc0f5801940702d3c6e99dd69ab...6b532938556dabae5d17be902d3332a8034adf60

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/strip-nondeterminism/compare/b9f7ff12933e6bc0f5801940702d3c6e99dd69ab...6b532938556dabae5d17be902d3332a8034adf60
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190428/19a01ca0/attachment.html>

More information about the rb-commits mailing list