Bugzilla – Bug 1094761
Kiwi does not produce ISO that are compliant with the ISO9660 specs
Last modified: 2020-07-23 11:52:42 UTC
As per the following analysis by Thomas Schmitt, who investigated an error report reported against libcdio when trying to process openSUSE-Leap-15.0-DVD-x86_64.iso: http://lists.gnu.org/archive/html/libcdio-devel/2018-05/msg00008.html Specifically: ECMA-119, 7.3.3 "Both-byte orders" and 9.1.4 "Data Length (BP11 to BP18)" prescribe that the byte count of a data file is to be recorded as first a little-endian 32-bit number and then a big-endian 32-bit number. However, Kiwi only appears to patch the little-endian bytes into the ISO when it sets the final size of the affected files. For instance, you can find a file in openSUSE-Leap-15.0 that bears as size: e1 01 00 00 00 00 08 00 where the first four bytes are correct and the next four are wrong. This is probably because only the first four were overwritten by Kiwi, when it patched in the new size after manipulating the file content. Therefore, independently of a separate libcdio issue (which should gracefully warn when it finds such an inconsistency, rather than bail out), there is a definite problem with the way Kiwi updates the file sizes, as only seems to do half the job, which is in breach of the ECMA specs. Hopefully this specs compliance issue can be fixed for future releases of openSUSE.
product iso's are created by the product builder project Assigning to maintainer
Thanks for letting such a bug bit-rot forever. This now hits us badly, since the bot producing the changelogs for the ISOs was upgraded to Leap 15.1, thus having a new libcdio that barks on such invalid files https://github.com/openSUSE/openSUSE-release-tools/issues/2128
One way around the issue being introduced with product-builder would be the upgrade of libcdio to version 2.1 - where the bigendian file size is discarded in favor of the little endian stored file size - thus ignoring the error introduced by product-builder (not eliminating the error alltogether though) This should be libcdio upstream commit http://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=a4155f014c640e6896a41205a0f997be8db33808
(In reply to Dominique Leuenberger from comment #3) > One way around the issue being introduced with product-builder would be the > upgrade of libcdio to version 2.1 This is not an option for Leap - as libcdio changed ABI between 0.94 and 2.1
(In reply to Dominique Leuenberger from comment #3) > One way around the issue being introduced with product-builder would be the > upgrade of libcdio to version 2.1 - where the bigendian file size is > discarded in favor of the little endian stored file size - thus ignoring the > error introduced by product-builder (not eliminating the error alltogether > though) > > This should be libcdio upstream commit > http://git.savannah.gnu.org/cgit/libcdio.git/commit/ > ?id=a4155f014c640e6896a41205a0f997be8db33808 Patch was incomplete and needed a 2nd one: http://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=a4155f014c640e6896a41205a0f997be8db33808 With this combo, we can at least parse the ISO files again. submitted as such into maintenance
SUSE-RU-2019:2443-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1094761 CVE References: Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): cdio-utils-0.94-6.9.2, libcdio-0.94-6.9.2 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): cdio-utils-0.94-6.9.2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): libcdio-0.94-6.9.2 SUSE Linux Enterprise Module for Desktop Applications 15 (src): libcdio-0.94-6.9.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-RU-2019:2215-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1094761 CVE References: Sources used: openSUSE Leap 15.0 (src): libcdio-0.94-lp150.5.10.1
openSUSE-RU-2019:2218-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1094761 CVE References: Sources used: openSUSE Leap 15.1 (src): cdio-utils-0.94-lp151.7.3.1, libcdio-0.94-lp151.7.3.1
solved
(In reply to Adrian Schröter from comment #11) > solved really? The fix we published was to have libcdio actually accept the broken ISO images - but I'm not aware of any code change to actually no longer produce the images in a defective way.
I have to admit I only remember a discussion if should re-release old GA images and we decided to no. So I assumed that it got fixed... okay, re-open for validation.
The fix: https://github.com/openSUSE/open-build-service/pull/9949
merged