Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1050588: bookworm-pu: package nsis/nsis 3.08-3
11 views
Skip to first unread message
Christian Franke
Aug 26, 2023, 1:40:05 PM8/26/23
to
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ns...@packages.debian.org, christia...@t-online.de
Control: affects -1 + src:nsis
Please update nsis 3.08-3 to 3.09.
[ Reason ]
Generated installers contain invalid relocation information, see
Bug#1050288. This is a regression introduced by a changed behavior
of the MinGW-w64 toolchain.
nsis 3.06.1-1 on bullseye is not affected because an older version
of the toolchain is used.
nsis-3.09-1 on trixie is not affected because NSIS upstream
addressed this problem in release 3.09.
This update also fixes security vulnerability CVE-2023-37378,
see Bug#1040880.
[ Impact ]
Large installers may work on Windows, but small installers do not.
Even if an installer works, warning messages from security scanners
may be triggered because the file is considered corrupt.
[ Tests ]
Create a small installer with makensis.
The problem is fixed if 'objdump -p' does no longer complain
"BFD: error: FILE.exe(.reloc) is too large"
and the size of the '.reloc' section is 0.
See Bug#1050288 for details.
[ Risks ]
NSIS 3.09 is the official upstream release proven to work for
some time now.
Severity: normal
Tags: bookworm
User: release.d...@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ns...@packages.debian.org, christia...@t-online.de
Control: affects -1 + src:nsis
Please update nsis 3.08-3 to 3.09.
[ Reason ]
Generated installers contain invalid relocation information, see
Bug#1050288. This is a regression introduced by a changed behavior
of the MinGW-w64 toolchain.
nsis 3.06.1-1 on bullseye is not affected because an older version
of the toolchain is used.
nsis-3.09-1 on trixie is not affected because NSIS upstream
addressed this problem in release 3.09.
This update also fixes security vulnerability CVE-2023-37378,
see Bug#1040880.
[ Impact ]
Large installers may work on Windows, but small installers do not.
Even if an installer works, warning messages from security scanners
may be triggered because the file is considered corrupt.
[ Tests ]
Create a small installer with makensis.
The problem is fixed if 'objdump -p' does no longer complain
"BFD: error: FILE.exe(.reloc) is too large"
and the size of the '.reloc' section is 0.
See Bug#1050288 for details.
[ Risks ]
NSIS 3.09 is the official upstream release proven to work for
some time now.
Adam D. Barratt
Aug 26, 2023, 2:00:06 PM8/26/23
to
Control: tags -1 + moreinfo
On Sat, 2023-08-26 at 19:35 +0200, Christian Franke wrote:
> Please update nsis 3.08-3 to 3.09.
>
You appear to have missed the "attach a diff of the proposed package
that you have prepared and tested on stable and intend to upload" step.
Either that, or fundamentally misunderstood the role of the Release
Team in the process.
Regards,
Adam
On Sat, 2023-08-26 at 19:35 +0200, Christian Franke wrote:
> Please update nsis 3.08-3 to 3.09.
>
that you have prepared and tested on stable and intend to upload" step.
Either that, or fundamentally misunderstood the role of the Release
Team in the process.
Regards,
Adam
Thomas Gaugler
Feb 3, 2024, 4:40:05 AM2/3/24
to
Control: tags -1 -moreinfo
Control: owner -1 Thomas Gaugler <tho...@dadie.net>
Hi Adam,
I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
propose the changes committed into the debian/bookworm branch on the
27th January 2024 to be released as updated nsis 3.08-3+deb12u1 packages
(<https://salsa.debian.org/debian/nsis/-/commits/debian/bookworm>).
The changes fix the security vulnerability CVE-2023-37378
(<https://security-tracker.debian.org/tracker/CVE-2023-37378>), bogus
relocation section in the installer stubs
(<https://bugs.debian.org/1050288>) and a failed to build from source
(FTBFS) bug occurring in the arm64 reproducibility build
(<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>).
In the following I describe each commit in more detail.
2b331c4f Cherry-pick upstream commits to fix CVE-2023-37378
This commit consists of essentially the same patches as included in the
nsis 3.04-1+deb9u1 diff uploaded by the LTS Security team. Only the
Debian patch header fields differ slightly.
(<http://security.debian.org/debian-security/pool/updates/main/n/nsis/nsis_3.04-1+deb9u1.debian.tar.xz>),
(<https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html>),
(<https://tracker.debian.org/news/1442453/accepted-nsis-304-1deb9u1-source-into-oldoldstable/>)
105629f0 Use common options for nsis-doc installation
In Debian Trixie additional compile flags for hardening the security
have been introduced. These flags were wrongly applied for installing
build artifacts of the documentation targets (install-examples,
install-doc and install-docs) and caused the arm64 reproducibility build
to fail. The arm64 reproducibility worked again after changing to the
common set of flags for the documentation targets build.
(<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>)
2d1e47e8 Exclude Debian revison suffix from VER_REVISION
The nsis 3.04-1+deb9u1 diff did "Hardcode VER_REVISION to ignore deb9u1
suffix". This change takes a generic approach by utilizing the string
functions (firstword, word) of make to exclude the Debian revision
suffix from VER_REVISION.
1ec70a5e Backport upstream commit to disable stub relocations
The original fix was not effective
(<https://salsa.debian.org/debian/nsis/-/commit/f1c043cc110797e9f06718e7bc13b7163b78c550>).
This regression was pointed out in the Debian bug report #1050288
(<https://bugs.debian.org/1050288>) and the origin of this proposed
update request. These changes are the back port of the upstream commit
to disable stub relocations in newer GNU C(++) compiler versions.
f5795972 CVE-2023-37378, nsis-doc, VER_REVISION, disable relocs
This commit documents the above described changes.
---
Once we have your agreement, my uploading sponsor (OdyX) will proceed
with the upload.
Best regards,
Thomas
Control: owner -1 Thomas Gaugler <tho...@dadie.net>
Hi Adam,
I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
propose the changes committed into the debian/bookworm branch on the
27th January 2024 to be released as updated nsis 3.08-3+deb12u1 packages
(<https://salsa.debian.org/debian/nsis/-/commits/debian/bookworm>).
The changes fix the security vulnerability CVE-2023-37378
(<https://security-tracker.debian.org/tracker/CVE-2023-37378>), bogus
relocation section in the installer stubs
(<https://bugs.debian.org/1050288>) and a failed to build from source
(FTBFS) bug occurring in the arm64 reproducibility build
(<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>).
In the following I describe each commit in more detail.
2b331c4f Cherry-pick upstream commits to fix CVE-2023-37378
This commit consists of essentially the same patches as included in the
nsis 3.04-1+deb9u1 diff uploaded by the LTS Security team. Only the
Debian patch header fields differ slightly.
(<http://security.debian.org/debian-security/pool/updates/main/n/nsis/nsis_3.04-1+deb9u1.debian.tar.xz>),
(<https://lists.debian.org/debian-lts-announce/2023/07/msg00005.html>),
(<https://tracker.debian.org/news/1442453/accepted-nsis-304-1deb9u1-source-into-oldoldstable/>)
105629f0 Use common options for nsis-doc installation
In Debian Trixie additional compile flags for hardening the security
have been introduced. These flags were wrongly applied for installing
build artifacts of the documentation targets (install-examples,
install-doc and install-docs) and caused the arm64 reproducibility build
to fail. The arm64 reproducibility worked again after changing to the
common set of flags for the documentation targets build.
(<https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/nsis.html>)
2d1e47e8 Exclude Debian revison suffix from VER_REVISION
The nsis 3.04-1+deb9u1 diff did "Hardcode VER_REVISION to ignore deb9u1
suffix". This change takes a generic approach by utilizing the string
functions (firstword, word) of make to exclude the Debian revision
suffix from VER_REVISION.
1ec70a5e Backport upstream commit to disable stub relocations
The original fix was not effective
(<https://salsa.debian.org/debian/nsis/-/commit/f1c043cc110797e9f06718e7bc13b7163b78c550>).
This regression was pointed out in the Debian bug report #1050288
(<https://bugs.debian.org/1050288>) and the origin of this proposed
update request. These changes are the back port of the upstream commit
to disable stub relocations in newer GNU C(++) compiler versions.
f5795972 CVE-2023-37378, nsis-doc, VER_REVISION, disable relocs
This commit documents the above described changes.
---
Once we have your agreement, my uploading sponsor (OdyX) will proceed
with the upload.
Best regards,
Thomas
Adam D. Barratt
Feb 3, 2024, 5:00:05 AM2/3/24
to
On Sat, 2024-02-03 at 10:33 +0100, Thomas Gaugler wrote:
> I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
> propose the changes committed into the debian/bookworm branch on the
> 27th January 2024 to be released as updated nsis 3.08-3+deb12u1
> packages
> (<https://salsa.debian.org/debian/nsis/-/commits/debian/bookworm>).
Thanks, but you've still not attached a debdiff of a prepared package,
> I am the maintainer of Nullsoft Scriptable Install System (NSIS) and
> propose the changes committed into the debian/bookworm branch on the
> 27th January 2024 to be released as updated nsis 3.08-3+deb12u1
> packages
> (<https://salsa.debian.org/debian/nsis/-/commits/debian/bookworm>).
as requsted. Pointers to git are useful, but they're not the same as an
actual package debdiff, which sometimes reveals changes that aren't
immediately obvious from git.
(A debdiff attached to the bug is also there in perpetuity.)
Regards,
Adam
0 new messages