libkml: strip scanner-flagged test fixture#17276
Merged
Merged
Conversation
PawelWMS
force-pushed
the
pawelwi/libkml-strip-test-fixtures
branch
4 times, most recently
from
ce4d178 to
f53aeb1
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the libkml component to avoid automated malware-scanner false positives by replacing upstream Source0 with a deterministic repack that removes one scanner-flagged KMZ test fixture and the single GoogleTest case that references it.
Changes:
- Added a dedicated
libkml.comp.tomlthat overridesSource0viasource-fileswithreplace-upstream = true. - Added a deterministic
modify_source.shhelper to striptestdata/kmz/bad-too-large.kmzand removeZipFileTest.TestBadTooLargefrom the upstream test source. - Regenerated rendered packaging artifacts (sources hash, spec Release bump) and refreshed the
libkmllock fingerprint.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
base/comps/libkml/libkml.comp.toml |
Introduces a Source0 override to a modified tarball to avoid scanner heuristics. |
base/comps/libkml/modify_source.sh |
Provides the deterministic strip-and-repack script used to produce the modified upstream tarball. |
base/comps/components.toml |
Removes the inline libkml entry now that the component is defined in a dedicated .comp.toml. |
specs/l/libkml/sources |
Updates the recorded SHA512 for libkml-1.3.0.tar.gz to match the modified tarball. |
specs/l/libkml/libkml.spec |
Bumps Release as part of the regenerated rendered spec output. |
locks/libkml.lock |
Updates the lock input fingerprint to reflect the component definition change. |
PawelWMS
force-pushed
the
pawelwi/libkml-strip-test-fixtures
branch
from
f53aeb1 to
fc095e6
Compare
PawelWMS
force-pushed
the
pawelwi/libkml-strip-test-fixtures
branch
from
ef085b1 to
42f938d
Compare
The FS-aware deep scanner in the automated package-signing pipeline
flags `testdata/kmz/bad-too-large.kmz` shipped inside the upstream
`libkml-1.3.0.tar.gz` tarball as malicious. The fixture is benign by
intent -- a crafted-malformed ZIP whose uncompressed-size field
reports 4,294,967,294 bytes, used by libkml's Google Test suite to
exercise decompression-bomb-rejection code in
`ZipFileTest.TestBadTooLarge` -- but its on-disk shape matches the
scanner's malicious-archive heuristics.
This change overrides Source0 with a byte-deterministic repack that
drops the single fixture and surgically removes the matching
`TEST_F(ZipFileTest, TestBadTooLarge)` block from
`tests/kml/base/zip_file_test.cc`, leaving every sibling test in that
file intact. The other 7 "bad" / "overflow" KMZ test fixtures shipped
under `testdata/kmz/` are kept as-is (the latest scan pass cleared
them).
Files
-----
- base/comps/libkml/libkml.comp.toml -- dedicated component file
with a `replace-upstream` source override (no spec overlays).
- base/comps/libkml/modify_source.sh -- deterministic strip-and-
repack helper. Re-running on the same upstream tarball yields a
stable SHA-512.
- base/comps/components.toml -- inline `[components.libkml]` row
removed; the component is now defined in the dedicated file.
- specs/l/libkml/{libkml.spec,sources} -- regenerated with the new
Source0 hash.
- locks/libkml.lock -- refreshed.
Validation
----------
- `rpmspec -P specs/l/libkml/libkml.spec` exits 0.
- `azldev comp render -p libkml` audit-WARN confirms the upstream
`libkml-1.3.0.tar.gz` entry was swapped to the modified-tarball
SHA-512
`6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c
36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58`.
- Lock converges (re-running `azldev comp update -p libkml`
produces no diff).
- Two consecutive independent runs of `modify_source.sh` produced
identical SHA-512s (byte-deterministic).
- Modified tarball uploaded to the lookaside path (HTTP 200,
6,623,485 bytes).
PawelWMS
force-pushed
the
pawelwi/libkml-strip-test-fixtures
branch
from
42f938d to
c5a15a8
Compare
christopherco
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: AB#19880
The FS-aware deep scanner in the automated package-signing pipeline flagged
testdata/kmz/bad-too-large.kmzshipped inside the upstreamlibkml-1.3.0.tar.gztarball as malicious. The fixture is benign by intent — a crafted-malformed ZIP whose uncompressed-size field reports 4,294,967,294 bytes, used by libkml's Google Test suite to exercise the parser's decompression-bomb-rejection code path — but its on-disk shape matches the scanner's malicious-archive heuristics.Stripped fixture
testdata/kmz/bad-too-large.kmzZipFileTest.TestBadTooLargeregression coverage of libkml's decompression-bomb guard.The other 7 "bad" / "overflow" KMZ test fixtures shipped under
testdata/kmz/(zermatt-photo-bad.kmz,bad.kmz,bad-pk-data.kmz, and the fouroverflow_*.kmzfiles) are kept as-is — the latest scan pass cleared them.Approach
The change overrides
Source0with a byte-deterministic repack that drops the single fixture and surgically removes the matchingTEST_Fblock fromtests/kml/base/zip_file_test.cc:ZipFileTest.TestBadTooLargeAll sibling test cases in
zip_file_test.cc(TestOpenFromString,TestOpenFromFile,TestCreate,TestAddEntryBad,TestBadPkZipData,TestMaxUncompressedSize, …) and every other test runner in the libkml suite are unchanged. The runtime parser code path the deleted test exercised (insrc/kml/base/zip_file.cc) is unchanged and remains exercised indirectly by sibling tests that feed valid and invalid inputs through the same open / parse APIs.Files
base/comps/libkml/libkml.comp.toml— new dedicated component file with areplace-upstreamsource override (no spec overlays).base/comps/libkml/modify_source.sh— deterministic strip-and-repack helper.base/comps/components.toml— inline[components.libkml]row removed; the component is now defined in the dedicated file.specs/l/libkml/{libkml.spec,sources}— regenerated with the new Source0 hash.locks/libkml.lock— refreshed.Validation
azldev comp render -p libkmlaudit-WARN confirms the upstreamlibkml-1.3.0.tar.gzentry was swapped to6f93fcd390c6b21e307638df5d85b15dcb81af81c7409797a247b322df843fb1c36dc6c5eb7dc1346adbf228e09ec4ffdbf450dfe1f9b73cbc32e8803a098c58.azldev comp update -p libkmlproduces no diff).modify_source.shproduced identical SHA-512s).