[Bug 2071468] Re: ELF package metadata failure: environment variable ‘DEB_HOST_ARCH’ not defined

Sat Jul 6 02:07:59 UTC 2024

This bug was fixed in the package squid - 6.9-1ubuntu1

---------------
squid (6.9-1ubuntu1) oracular; urgency=medium

  * Merge with Debian unstable (LP: #2064466). Remaining changes:
    - d/usr.sbin.squid: Add sections for squid-deb-proxy and
      squidguard
    - d/p/90-cf.data.ubuntu.patch: Add refresh patterns for deb
      packaging
    - Use snakeoil certificates:
      + d/control: add ssl-cert to dependencies
      + d/p/99-ubuntu-ssl-cert-snakeoil.patch: add a note about ssl
        to the default config file
    - d/NEWS: drop the NIS basic auth helper (LP #1895694)
    - d/p/0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch:
      Fix FTBFS due to -Werror=alloc-size-larger-than on GCC 12.
    - d/rules: halt build upon test failures.
    - d/rules: do not include additional configuration files during
      build time tests. This would lead to test failures due to missing
      paths.
    - d/t/upstream-test-suite: use installed squid binary for
      autopkgtest config file checks.
    - d/p/0010-Fix-Werror-sign-compare-on-GCC-13.patch: fix comparison
      between signed and unsigned values.
    - d/rules: disable LTO related compilation errors for ppc64el builds.
    - d/source_squid.py, d/squid-common.install: Add apport hook
      (LP #676141)
  * Dropped changes:
    - SECURITY UPDATE: DoS via chunked decoder uncontrolled recursion bug
      + debian/patches/CVE-2024-25111.patch: fix infinite recursion in
        src/http.cc, src/http.h.
      + CVE-2024-25111
      [ Fixed in 6.8 ]
  * New changes:
    - d/t/upstream-test-suite: adjust autopkgtests following dpkg
      changes enabling ELF metadata. (LP: #2071468)

squid (6.9-1) unstable; urgency=medium

  [ Amos Jeffries <amosjeffries at squid-cache.org> ]
  * New Upstream Release 6.9

squid (6.8-1) unstable; urgency=high

  [ Amos Jeffries <amosjeffries at squid-cache.org> ]
  * New Upstream Release 6.8
    Fixes: CVE-2024-25111. SQUID-2024:1

  [ Luigi Gangitano <luigi at debian.org> ]
  * debian/control
    - Migrate from pkg-config to pkgconf

 -- Athos Ribeiro <athos.ribeiro at canonical.com>  Tue, 02 Jul 2024
14:21:39 -0300

** Changed in: squid (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-25111

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/2071468

Title:
  ELF package metadata failure: environment variable ‘DEB_HOST_ARCH’ not
  defined

Status in asymptote package in Ubuntu:
  Fix Released
Status in dpkg package in Ubuntu:
  Triaged
Status in gsequencer package in Ubuntu:
  Fix Released
Status in libreoffice package in Ubuntu:
  New
Status in mosh package in Ubuntu:
  Fix Released
Status in mwrap package in Ubuntu:
  Fix Released
Status in serf package in Ubuntu:
  Triaged
Status in squid package in Ubuntu:
  Fix Released
Status in texinfo package in Ubuntu:
  Triaged

Bug description:
  The ELF package note metadata introduced in dpkg 1.22.6ubuntu11
  (refined in 1.22.6ubuntu14) can cause this failure:

  ```
  gcc fatal error: environment variable ‘DEB_HOST_ARCH’ not defined
  ```

  This happens when the `-specs=/usr/share/dpkg/elf-package-
  metadata.specs` parameter is set but the needed environment variables
  are not set. Cases:

  1. Only the LDFLAGS is queried from dpkg-buildflags. Affected source
  packages builds: python3.12, openjdk-21, cdbs (causing dvbstreamer and
  rp-pppoe fail to build)

  2. autopkgtests

  3. debugging a crash of an application build with the -spec parameter

  4. People like to iteratively continue building the software in the
  build dir while hacking on the package and then have no environment
  variable set.

  This approach is too fragile. An alternative approach would be to specify the `--package-metadata` linker flag directly. The problem with that approach is that the curly brackets and quotation marks need to be escaped. Example failure: Building dpkg would add this parameter to the LDFLAGS:
  ```
  -Wl,--package-metadata,{"type":"deb","os":"ubuntu","name":"dpkg","version":"1.22.6ubuntu15","architecture":"amd64"}
  ```
  The following configure script call (non-relevant parameters deleted):
  ```
  $ gcc -Wl,--package-metadata,{type:deb,os:ubuntu,name:dpkg,version:1.22.6ubuntu15,architecture:amd64}
  /usr/bin/ld: cannot find {type:deb: No such file or directory
  /usr/bin/ld: cannot find os:ubuntu: No such file or directory
  /usr/bin/ld: cannot find name:dpkg: No such file or directory
  /usr/bin/ld: cannot find version:1.22.6ubuntu15: No such file or directory
  /usr/bin/ld: cannot find architecture:amd64}: No such file or directory
  ```

  Proposed solution: Add support for an `--escaped-package-metadata` parameter to the linkers that takes an URL encoded (RFC 3986) parameter. Example:
  ```
  -Wl,--encoded-package-metadata,%7B%22type%22:%22deb%22%2C%22os%22:%22ubuntu%22%2C%22name%22:%22dpkg%22%2C%22version%22:%221.22.6ubuntu15%22%2C%22architecture%22:%22amd64%22%7D
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asymptote/+bug/2071468/+subscriptions