Arch Linux User Repository

This PKGBUILD, "streamripper" is pulling from here, https://github.com/Magentron/streamripper . That repo has some commits/fixes/activyt in the last year.

Found this other one here, https://github.com/streamripper/streamripper/issues/10. It's just a copy of the sourceforge repo on github. Last update 9y ago. Anyway, someone opened an issue recently,

Buffer overflow streamripper/streamripper#10
Open • gentoosys opened about 6 months ago • 2 comments

  Hi. Can't use it on archlinux                                                              
  Connecting...                                                                              
  *** buffer overflow detected ***: terminated                                               
  on gentoo it worked. Why it happens?                                                       
.......
gentoosys • Jan  3, 2025 • Newest comment

  I deleted some flag, I think -D_FORTIFY_SOURCE=3 from /etc/makepkg.conf to build it and it 
  worked                                                                                     

Could that be the problem in Arch ? Indeed, there is a "FORTIFY_SOURCE" flag there

$ rg fortify -C 3 /etc/makepkg.conf

41-#-- Compiler and Linker Flags
42-#CPPFLAGS=""
43-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
44:        -Wp,-D_FORTIFY_SOURCE=3 -Wformat -Werror=format-security \
45-        -fstack-clash-protection -fcf-protection \
46-        -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer"
47-CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"

I have no idea what this his, and its impact/consequences. So from the Internet,

What is FORTIFY_SOURCE?

FORTIFY_SOURCE is a feature available in the GNU C Library that provides runtime protection
against certain types of security vulnerabilities. Specifically, FORTIFY_SOURCE detects and
prevents buffer overflow and formats string vulnerabilities, which are two common types of
vulnerabilities that attackers can exploit to take control of a system or steal sensitive
data.

The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in
various functions that perform operations on memory and strings. Not all types of buffer
overflows can be detected with this macro, but it does provide an extra level of validation
for some functions that are potentially a source of buffer overflow flaws. It protects both
C and C++ code.

Why does "makepkg" produces a binary with buffer overflow ? Why does "make" on a clean src folder of streamripper does not have that problem ?

Is it related to that flag ? So I went to try it.

I didnt mess with the default, /etc/makepkg.conf, like the above user says he did. That would be a very bad idea. The defaults are put there for some good reason by the Arch developers.

Besides, streamripper has a decades long history of repeated this kind of problems. Search the Internet,

Ulf Harnhammar from the Debian Security Audit Project discovered that streamripper, a
utility to record online radio-streams, performs insufficient sanitising of data received
from the streaming server, which might lead to buffer overflows and the execution of
arbitrary code.

So anyway. This is what I tried,

man makepkg,

       MAKEPKG_CONF="/path/to/file"
           Use an alternate config file instead of the /etc/makepkg.conf
           default.

yay -G streamripper
cd streamripper
cp /etc/makepkg.conf custom_makepkg.conf

I then edited that "custom" file and changed the "FORTIFY_SOURCE" value. I tried "0", "1" and "2". Then,

makepkg MAKEPKG_CONF=custom_makepkg.conf
sudo pacman -U streamripper....zst

No luck. The built package still has the same buffer overflow.

So strange. Why does "make" on a clean src folder of streamripper does not have that problem ?

git clone https://github.com/Magentron/streamripper
cd streamripper
git checkout a5597af77b942b97cacb207929043c9aac0b756e
./configure
make 

Running that binary, 

./streamripper http://some.radio.foo.bar ...

Has no buffer overflow.



My absolute non expert guess conclusion:

Streamripper code is old and buggy. And does indeed has that overflow thing.

Modern packaging systems, like Arch packaging/makepkg provide safeguards/rails
against such potential threats. So they have all those "hardening" flags by
default at compiling packages time.


So this king of message in Archlinux, 

*** buffer overflow detected ***: terminated Aborted (core dumped) ```

Is actually a good sign. It means this binary on Archlinux was prevented to continue running and susceptible to be exploited before it was too late.

Am I thinking correctly ???

I also tried the advice,

makepkg -sicC

It didnt work, just like other users have also commented.

... If 'makepkg -sicC' pacman command doesn't work for you, it means your Arch
system has a problem. 

No. It doesnt mean your Arch "has a problem". It means something else. And no one has it figured out how to solve this and update the PKGBUILD so that it builds correctly.

@prurigo If 'makepkg -sicC' pacman command doesn't work for you, it means your Arch system has a problem. Normally and happily , chroot is not needed to build Arch package, and I never used it.

So the advice below to build with "-sicC" didn't work for me, but building in a clean chroot did, and now it's running correctly.

If anyone's unable to set up a clean chroot themselves and are comfortable trusting a 3rd party build by me, you can grab the current version from http://96.126.108.7:90/streamripper-1:1.64.6+56+a5597af-1-x86_64.pkg.tar.xz

Pity it stopped working on x86_64. Such an usefull, old, time tested, nice little tool.

arch=('x86_64' 'i686' 'aarch64' 'armv7h')

Curious fact. Just to report that it is still building and working fine on the ARM platform. I run ArchlinuxArm, "armv7h" on a Raspberrypi2b 1.1 and a Samsung Chromebook.

No "buffer overflow" errors, like in the x86_64 pc's.

streamripper --version

Streamripper 1.66.0-alpha

Name            : streamripper
Version         : 1:1.64.6+56+a5597af-1
Architecture    : armv7h
Depends On      : glib2  libmad  faad2  libvorbis
Installed Size  : 140.67 KiB
Packager        : Unknown Packager
Build Date      : Tue 29 Oct 2024 11:02:40 PM WET
Install Date    : Tue 29 Oct 2024 11:05:53 PM WET

And had been using the previous version for the last 6 years,

Name            : streamripper
Version         : 1.64.6-4
Architecture    : armv7h
Installed Size  : 149.00 KiB
Packager        : Arch Linux ARM Build System
                  <builder+xu5@archlinuxarm.org>
Build Date      : Thu 07 Jun 2018 03:11:03 PM WEST
Install Date    : Tue 12 Jun 2018 11:59:39 PM WEST

uname -a

Linux alarmpi 6.6.58-1-rpi #1 SMP Wed Oct 23 06:54:17 MDT 2024 armv7l GNU/Linux

pacman -Qi linux

Name            : linux-rpi
Version         : 6.6.58-1
Architecture    : armv7h
URL             : https://github.com/raspberrypi/linux
Provides        : linux=6.6.58  KSMBD-MODULE  WIREGUARD-MODULE

pacman -Qi glibc

Name            : glibc
Version         : 2.39+r52+gf8e4623421-1
Description     : GNU C Library
Architecture    : armv7h
URL             : https://www.gnu.org/software/libc
Depends On      : linux-api-headers>=4.10  tzdata  filesystem

pacman -Qi make

Name            : make
Version         : 4.4.1-2
Architecture    : armv7h
Depends On      : glibc  guile
Build Date      : Sat 18 Mar 2023 09:57:04 AM WET
Install Date    : Sat 18 Mar 2023 09:50:37 PM WET

pacman -Qi glib2

Name            : glib2
Version         : 2.82.2-1
Architecture    : armv7h
URL             : https://gitlab.gnome.org/GNOME/glib
Licenses        : LGPL-2.1-or-later
Provides        : libglib-2.0.so=0-32  libgio-2.0.so=0-32
                  libgirepository-2.0.so=0-32  libgmodule-2.0.so=0-32
                  libgobject-2.0.so=0-32  libgthread-2.0.so=0-32

Does throw buffer overflow ... even after update and rebuild (makepkg -sicC).

On Arch system only (not Manjaro or else): update system then, makepkg -sicC
https://wiki.archlinux.org/title/Arch_User_Repository#Build_the_package

I've also gotten a buffer overflow, pacman -Syu didn't help.

With recent deps updates, it works for me. You have to update your system and rebuild it.

Can't use it, crashes with buffer overflow detected.