search

theypsilon / Update_All_MiSTer

All-in-one script for updating your MiSTer
GNU General Public License v3.0
605 stars 27 forks source link

Possible Zip Bomb #80

Closed s3anami closed 2 years ago

s3anami commented 2 years ago

Keep getting zip bomb errors with script even got them with the bios so i did that manually

subprocess.run unzip -p /tmp/tmp9d80aw79 Return Code was '12'

error: invalid zip file with overlapped components (possible zip bomb)

Could not load json from "https://raw.githubusercontent.com/MiSTer-devel/Distribution_MiSTer/main/db.json.zip" subprocess.run unzip -p /tmp/tmp_a56fspt Return Code was '12'

error: invalid zip file with overlapped components (possible zip bomb)

Could not load json from "https://raw.githubusercontent.com/jotego/jtcores_mister/main/jtbindb.json.zip"

theypsilon commented 2 years ago

It looks like you have a buggy Linux version. When was the latest time you updated before this one, September?

XAMPPRocky commented 2 years ago

Hey, wanted to note that I got a preconfigured MiSTer from MiSTerAddons and also run into this issue when running the update all script. Running update Linux and update all says that I’m running on the latest version of Linux

theypsilon commented 2 years ago

Hey @XAMPPRocky , is it happening all the time, or just once in a while? If it happens all the time, could you share the logs? Scripts/.config/downloader/downloader1.log

s3anami commented 2 years ago

My way to fix it was to use the separate Downloader script. That one completed successfully. From there Update All works after that

XAMPPRocky commented 2 years ago

@theypsilon Happens all the time, here's the contents of downloader1.log. I'll try running downloader seperately and see how that goes.

START!

Reading file: /media/fat/downloader.ini
Reading 'distribution_mister' db section
Reading 'jtcores' db section
env: {
    "DOWNLOADER_LAUNCHER_PATH": "downloader.ini",
    "DOWNLOADER_INI_PATH": "/media/fat/downloader.ini",
    "CURL_SSL": "--cacert /etc/ssl/certs/cacert.pem",
    "COMMIT": "56c2e1f",
    "ALLOW_REBOOT": "0",
    "UPDATE_LINUX": "false",
    "DEFAULT_DB_URL": "https://raw.githubusercontent.com/MiSTer-devel/Distribution_MiSTer/main/db.json.zip",
    "DEFAULT_DB_ID": "distribution_mister",
    "DEFAULT_BASE_PATH": null,
    "DEBUG": "false",
    "FAIL_ON_FILE_ERROR": "false"
}
config: {
    "databases": {
        "distribution_mister": {
            "db_url": "https://raw.githubusercontent.com/MiSTer-devel/Distribution_MiSTer/main/db.json.zip",
            "section": "distribution_mister"
        },
        "jtcores": {
            "db_url": "https://raw.githubusercontent.com/jotego/jtcores_mister/main/jtbindb.json.zip",
            "section": "jtcores"
        }
    },
    "base_path": "/media/fat/",
    "base_system_path": "/media/fat/",
    "allow_delete": 1,
    "allow_reboot": 0,
    "check_manually_deleted_files": true,
    "update_linux": true,
    "parallel_update": true,
    "downloader_size_mb_limit": 100,
    "downloader_process_limit": 300,
    "downloader_timeout": 300,
    "downloader_retries": 3,
    "zip_file_count_threshold": 60,
    "zip_accumulated_mb_threshold": 100,
    "filter": "",
    "url_safe_characters": {},
    "verbose": false,
    "config_path": "/media/fat/downloader.ini",
    "user_defined_options": [],
    "curl_ssl": "--cacert /etc/ssl/certs/cacert.pem"
}
subprocess.run unzip -p /media/fat//Scripts/.config/downloader/downloader.json.zip Return Code was '12'

error: invalid zip file with overlapped components (possible zip bomb)

Could not load storage
Loading db from url: https://raw.githubusercontent.com/MiSTer-devel/Distribution_MiSTer/main/db.json.zip
Loading db from url: https://raw.githubusercontent.com/jotego/jtcores_mister/main/jtbindb.json.zip
Downloading 2 files:
/tmp/tmp8y7lo3sz
/tmp/tmpw4ys181c
*..

Checking hashes...
++
subprocess.run unzip -p /tmp/tmp8y7lo3sz Return Code was '12'

error: invalid zip file with overlapped components (possible zip bomb)

Could not load json from "https://raw.githubusercontent.com/MiSTer-devel/Distribution_MiSTer/main/db.json.zip"
subprocess.run unzip -p /tmp/tmpw4ys181c Return Code was '12'

error: invalid zip file with overlapped components (possible zip bomb)

Could not load json from "https://raw.githubusercontent.com/jotego/jtcores_mister/main/jtbindb.json.zip"

===========================
Downloader 1.3 (56c2e1f) by theypsilon. Run time: 0:00:02.21s
Log: Scripts/.config/downloader/downloader.log

Installed:
none.

Errors:
https://raw.githubusercontent.com/MiSTer-devel/Distribution_MiSTer/main/db.json.zip, https://raw.githubusercontent.com/jotego/jtcores_mister/main/jtbindb.json.zip

Length of failed_dbs: 2
XAMPPRocky commented 2 years ago

@s3anami What downloader Script were you referencing?

FWIW I'm still facing this issue.

s3anami commented 2 years ago

https://github.com/MiSTer-devel/Downloader_MiSTer

XAMPPRocky commented 2 years ago

That script did not fix anything for me, as I posted in another issue, I get the same problem trying to run downloader.sh. https://github.com/MiSTer-devel/Downloader_MiSTer/issues/11#issuecomment-1026739987

XAMPPRocky commented 2 years ago

The solution I found is to run the update.sh first. Once this has run, these scripts start to work.