Bug#852207: libfile-stripnondeterminism-perl: Breaks .zip with encrypted files

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Sun Jan 22 13:58:20 UTC 2017

Package: libfile-stripnondeterminism-perl
Version: 0.029-2
Severity: normal

Dear Maintainer,

This looks a lot like #817943 but still might be a different issue.

When dh-strip-nondeterminism processes a .zip with an encrypted file,
the .zip is altered in a way it should be considered broken afterwards.

How to repeat:

* Create a small encrypted .zip

$ touch a-file
$ zip -Pverysecret archive.zip a-file

* zipinfo tells it is sound:

$ zipinfo archive.zip 
| Archive:  archive.zip
| Zip file size: 190 bytes, number of entries: 1
| -rw-r--r--  3.0 unx        0 BX stor 17-Jan-22 14:35 a-file
| 1 file, 0 bytes uncompressed, 0 bytes compressed:  0.0%

* Run File::StripNondeterminism against that file. Like using the following
  script which is what dh-strip-nondeterminism basically does:

#!/usr/bin/perl -w
use strict;
use File::StripNondeterminism;
my $file = $ARGV[0];
my $normalizer = File::StripNondeterminism::get_normalizer_for_file($file);

* Check the .zip again

$ zipinfo archive.zip 
| Archive:  archive.zip
| Zip file size: 178 bytes, number of entries: 1
| -rw-r--r--  3.0 unx        0 BX stor 80-Jan-01 13:01 a-file
| 1 file, 0 bytes uncompressed, 18446744073709551604 bytes compressed:  0.0%
                                = 0xfffffffffffffff4

* Also unzip cannot handle this:

$ unzip -t archive.zip
| Archive:  archive.zip
|   error:  invalid compressed data to inflate
| At least one error was detected in archive.zip.

In case there's a package in Debian that ships an encrypted .zip file,
that one was broken now. Although I cannot think why anyone would want
to do that. Severity left to normal therefore.



-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.1 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: unable to detect

Versions of packages libfile-stripnondeterminism-perl depends on:
ii  libarchive-zip-perl  1.59-1
ii  perl                 5.24.1~rc4-1

libfile-stripnondeterminism-perl recommends no packages.

libfile-stripnondeterminism-perl suggests no packages.

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20170122/95efc061/attachment.sig>

More information about the Reproducible-builds mailing list