Giter Club home page Giter Club logo

Comments (10)

kspalaiologos avatar kspalaiologos commented on May 31, 2024

Hello! Mind posting the output of ./configure?

./configure should define the following variables:

------------------------------------------------------------------------
MODERN-RZIP 0.9.5 (0.9.5) CONFIGURATION SUMMARY
------------------------------------------------------------------------

Compilation............: make (or gmake)
  CFLAGS...............: -g -O2 -msse2
  CXXFLAGS.............: -g -O2 -msse2
  CC...................: gcc
  CXX..................: g++ -std=gnu++17
  STRIP................: strip
  WINDOWS..............: 0
  VERSION..............: -DMRZIP_MAJOR=0 -DMRZIP_MINOR=9 -DMRZIP_PATCH=5

from modern-rzip.

kspalaiologos avatar kspalaiologos commented on May 31, 2024

Okay, I have reviewed it and it appears that a recent git upgrade that fixes a vulnerability is being hypervigilant:

git (1:2.20.1-2+deb10u5) buster-security; urgency=high
  
  * Non-maintainer upload by the LTS Security Team.
  * CVE-2022-24765: Git not checking the ownership of directories in a
    local multi-user system when running commands specified in the local
    repository configuration.  This allows the owner of the repository to
    cause arbitrary commands to be executed by other users who access the
    repository.
  * The above introduces new 'safe.directory' checks which may cause
    regressions: allow opt-out of such checks with 'safe.directory=*'
  * CVE-2022-29187: an unsuspecting user could still be affected by the
    issue reported in CVE-2022-24765, for example when navigating as root
    into a shared tmp directory that is owned by them, but where an
    attacker could create a git repository.
  * CVE-2022-39253: exposure of sensitive information to a malicious
    actor. When performing a local clone (where the source and target of
    the clone are on the same volume), Git copies the contents of the
    source's `$GIT_DIR/objects` directory into the destination by either
    creating hardlinks to the source contents, or copying them (if
    hardlinks are disabled via `--no-hardlinks`). A malicious actor could
    convince a victim to clone a repository with a symbolic link pointing
    at sensitive information on the victim's machine.
  * CVE-2022-39260: `git shell` improperly uses an `int` to represent the
    number of entries in the array, allowing a malicious actor to
    intentionally overflow the return value, leading to arbitrary heap
    writes. Because the resulting array is then passed to `execv()`, it is
    possible to leverage this attack to gain remote code execution on a
    victim machine.

 -- Sylvain Beucler <[email protected]>  Tue, 13 Dec 2022 15:14:23 +0100

Seems like WikiMedia was also hit by this issue: https://phabricator.wikimedia.org/T325128. A suggested fix is:

$ git config --global --add safe.directory /path/to/modern-rzip

from modern-rzip.

asarubbo avatar asarubbo commented on May 31, 2024

Hi, I filed the issue without digging a bit to understand the cause, but now it is clear.

I'm using the 0.9.5 tarball (https://github.com/modern-rzip/modern-rzip/archive/refs/tags/0.9.5.tar.gz), so the following commands into configure do not work because it is not a git repo:

MRZIP_MAJOR=`git describe --tags --abbrev=0 | sed 's/v//' | cut -d. -f1`
MRZIP_MINOR=`git describe --tags --abbrev=0 | sed 's/v//' | cut -d. -f2`
MRZIP_PATCH=`git describe --tags --abbrev=0 | sed 's/v//' | cut -d. -f3`
FULLVER=`git describe --tags --abbrev=0 | sed 's/v//'

Infact the configure outputs the following:

  VERSION..............: -DMRZIP_MAJOR= -DMRZIP_MINOR= -DMRZIP_PATCH=

The fast fix I can suggest is manually put the version number into configure.ac that need to be incremented when you do version bump.

from modern-rzip.

kspalaiologos avatar kspalaiologos commented on May 31, 2024

I have not implemented source tarball releases (yet), but I will get around to doing this soon-ish.

from modern-rzip.

asarubbo avatar asarubbo commented on May 31, 2024

I have bypassed the issue for now, by manually adding the magic numbers to the configure.

Now I have another issue during make phase:

   CC src/stream.c
src/stream.c:37:10: fatal error: ../vendor/bzip3/include/libbz3.h: No such file or directory
   37 | #include "../vendor/bzip3/include/libbz3.h"
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

There is a bit of confusion about the paths, my suggestion is: let the configure understand if there is a missing library in the system (bzip3/zstd/lz4) and do not bundle libraries in vendor, or if you want to bundle for some reasons, just declare the #include as usual and add -Ivendor/$dir where needed. Hope it helps.

from modern-rzip.

kspalaiologos avatar kspalaiologos commented on May 31, 2024

Hello. The tarball you had downloaded does not include the vendored files. Could you try the following:
https://github.com/modern-rzip/modern-rzip/releases/download/0.9.6/mrzip-src.tar.gz

from modern-rzip.

asarubbo avatar asarubbo commented on May 31, 2024

Hello. The tarball you had downloaded does not include the vendored files. Could you try the following: https://github.com/modern-rzip/modern-rzip/releases/download/0.9.6/mrzip-src.tar.gz

it works for me now, however from the configure I get:

  VERSION..............: -DMRZIP_MAJOR=0 -DMRZIP_MINOR=9 -DMRZIP_PATCH=MRZIP_PATCH

because .version here is:

0.9.6
0
9
MRZIP_PATCH

Another problem I get (please tell me if you want a new ticket) is that in the install phase, binaries want to be installed as /usr/bin that is a directory, maybe there is a missing / at the end

from modern-rzip.

asarubbo avatar asarubbo commented on May 31, 2024

it works for me now, however from the configure I get:

  VERSION..............: -DMRZIP_MAJOR=0 -DMRZIP_MINOR=9 -DMRZIP_PATCH=MRZIP_PATCH

because .version here is:

0.9.6
0
9
MRZIP_PATCH

There is a missin $ here: https://github.com/modern-rzip/modern-rzip/blob/627de2bf8fbe6c3af3500811be587586ce084fca/.github/workflows/release.yml#L23

from modern-rzip.

kspalaiologos avatar kspalaiologos commented on May 31, 2024

Oh, good catch. I will fix this now.

from modern-rzip.

asarubbo avatar asarubbo commented on May 31, 2024

it partially works for me because it uses the install defined in the build system instead of the install program defined in the system.

Is there a chance to get it using the default install program? Ftr bzip3 works for me from this point.

from modern-rzip.

Related Issues (1)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.