Issue of using "dpkg" for newer ".deb" files

Ken CJ Chou kenchou0731 at gmail.com
Sun Sep 29 04:37:37 UTC 2019


Hello,

I'm using the latest version of busybox (1.31.0).
I found an issue when using "dpkg" and "dpkg-deb" in busybox.
When I performed some task to get the control info of a ".deb" file.
The output showed a "dpkg-deb: corrupted data" message.

e.g.
```
# dpkg-deb -f <some_deb_file>
Package: <some_package>
...
dpkg-deb: corrupted data
```

I looked into the source code.
In file "archival/libarchive/decompress_unxz.c" line 97, here busybox tried
to decompress another xz stream when it found that the input stream isn't
ended.

So the issue happens on newer Debian package files.
Newer Debian package files format is an "ar" archive of 3 files including
"debian-binary", "control.tar.xz", "data.tar.xz" in orders.
When performing tasks on the Debian package file, the archive handler open
the ".deb" file as the input stream.
When busybox complete reading the section of "control.tar.xz", it
automatically tried to decompress another xz stream because there is still
the section of "data.tar.xz" in the input stream.
In this situation, busybox will read the label of "ar" archive for
"data.tar.xz" section. Then it fails at checking xz's header magic. And
finally a "corrupted data" error message is printed.

---

The issue can be easily reproduced by any Debian package file in Debian 10.
For example, "busybox_1.30.1-4_amd64.deb".

In my case, I can just applied a patch to disable the decompression of
another xz stream.
Because I don't think I need such a feature for my "xz" utility.

But I still wondered if there is a better solution of this issue.
If you have any suggestion, please let me know.
Thank you very much.

Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20190929/8faa0f82/attachment.html>


More information about the busybox mailing list