Bug#511582: #511582: updated patch, also fixes lintian error (and a few lintian warnings)

Daniel Kahn Gillmor Sun, 31 Jan 2010 21:56:38 -0800

here is a revised patch for #511582 for opie, including a slightly
simpler fix for misaligned XORs and also fixing a lintian error and
several lintian warnings.


However, it still does not resolve the licensing concerns described on
this bug, and it also leaves several lintian warnings unresolved:

W: opie source: package-uses-deprecated-debhelper-compat-version 3
W: opie source: debian-rules-sets-DH_COMPAT line 5
W: opie source: ancient-standards-version 3.6.1.0 (current is 3.8.3)
W: opie-server: non-standard-file-perm etc/opiekeys 0600 != 0644
W: opie-server: setuid-binary usr/bin/opiepasswd 4755 root/root

In particular, i'm concerned that this package has a setuid binary, has
had only NMUs since 2004, hasn't been reviewed for recent Standards or
debhelper versions, and http://bugs.debian.org/511582#30 suggests that
the maintainer seems to think that we should move away from the codebase.

I'm wondering if we should remove the package from the archive entirely
as a result of this review.  I'm not comfortable NMUing a package with
these outstanding concerns.

Any thoughts or suggestions?

        --dkg

diff -u opie-2.32.dfsg.1/libopie/hash.c opie-2.32.dfsg.1/libopie/hash.c
--- opie-2.32.dfsg.1/libopie/hash.c
+++ opie-2.32.dfsg.1/libopie/hash.c
@@ -22,7 +22,8 @@
 
 VOIDRET opiehash FUNCTION((x, algorithm), VOIDPTR x AND unsigned algorithm)
 {
-  UINT4 *results = (UINT4 *)x;
+  unsigned char *results = (unsigned char *)x;
+  int i;
 
   switch(algorithm) {
 #if 0
@@ -32,30 +33,32 @@
       SHAInit(&sha);
       SHAUpdate(&sha, (unsigned char *)x, 8);
       SHAFinal(&sha);
-      results[0] = sha.buffer[0] ^ sha.buffer[2] ^ sha.buffer[4];
-      results[1] = sha.buffer[1] ^ sha.buffer[3];
+      for (i = 0; i < 4; i++)
+        results[i] = sha.buffer[i] ^ sha.buffer[8+i] ^ sha.buffer[16+i];
+      for (i = 4; i < 8; i++)
+        results[i] = sha.buffer[i] ^ sha.buffer[12+i];
       };
       break;
 #endif /* 0 */
     case 4:
       {
-      UINT4 mdx_tmp[4];
+      unsigned char mdx_tmp[16];
 
-      mdfour((unsigned char *)mdx_tmp, (unsigned char *)x, 8);
-      results[0] = mdx_tmp[0] ^ mdx_tmp[2];
-      results[1] = mdx_tmp[1] ^ mdx_tmp[3];
+      mdfour(mdx_tmp, (unsigned char *)x, 8);
+      for (i = 0; i < 8; i++)
+        results[i] = mdx_tmp[i] ^ mdx_tmp[8+i];
       };
       break;
     case 5:
       {
       md5_state_t mdx;
-      UINT4 mdx_tmp[4];
+      unsigned char mdx_tmp[16];
 
       md5_init(&mdx);
       md5_append(&mdx, (unsigned char *)x, 8);
       md5_finish(&mdx, (unsigned char *)mdx_tmp);
-      results[0] = mdx_tmp[0] ^ mdx_tmp[2];
-      results[1] = mdx_tmp[1] ^ mdx_tmp[3];
+      for (i = 0; i < 8; i++)
+        results[i] = mdx_tmp[i] ^ mdx_tmp[8+i];
       };
       break;
   }
diff -u opie-2.32.dfsg.1/debian/control opie-2.32.dfsg.1/debian/control
--- opie-2.32.dfsg.1/debian/control
+++ opie-2.32.dfsg.1/debian/control
@@ -7,7 +7,7 @@
 
 Package: opie-client
 Architecture: any
-Depends: ${shlibs:Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: opie
 Description: OPIE programs for generating OTPs on client machines
  This package contains the necessary generators to produce one-time
@@ -16,7 +16,7 @@
 
 Package: opie-server
 Architecture: any
-Depends: ${shlibs:Depends}, opie-client, libpam-opie
+Depends: ${shlibs:Depends}, ${misc:Depends}, opie-client, libpam-opie
 Conflicts: suidmanager (<< 0.50)
 Recommends: libpam-opie
 Description: OPIE programs for maintaining an OTP key file
@@ -26,8 +26,9 @@
  for authentication.
 
 Package: libopie-dev
-Section: devel
+Section: libdevel
 Architecture: any
+Depends: ${misc:Depends}
 Description: OPIE library development files.
  OPIE (One-time Password In Everything) is a system which makes it 
  simple to use One-Time passwords in applications.
reverted:
--- opie-2.32.dfsg.1/debian/opie-server.conffiles
+++ opie-2.32.dfsg.1.orig/debian/opie-server.conffiles
@@ -1 +0,0 @@
-/etc/opiekeys
diff -u opie-2.32.dfsg.1/debian/changelog opie-2.32.dfsg.1/debian/changelog
--- opie-2.32.dfsg.1/debian/changelog
+++ opie-2.32.dfsg.1/debian/changelog
@@ -1,3 +1,17 @@
+opie (2.32.dfsg.1-0.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * resolve build/test alignment issues on armel by making opiehash() do
+    byte-wise (instead of word-wise) XOR operations. (Closes: #511582)
+  * remove debian/opie-server.conffiles to clear a duplicate-conffile
+    lintian error.  (thanks for the catch, lintian!)
+  * debian/rules (clean target): rm confdefs.h so that rebuilds do not
+    produce variant diffs.
+  * debian/control: add misc:Depends, fix section for libopie-dev (thanks,
+    lintian!)
+
+ -- Daniel Kahn Gillmor <[email protected]>  Sun, 31 Jan 2010 23:48:32 -0500
+
 opie (2.32.dfsg.1-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u opie-2.32.dfsg.1/debian/rules opie-2.32.dfsg.1/debian/rules
--- opie-2.32.dfsg.1/debian/rules
+++ opie-2.32.dfsg.1/debian/rules
@@ -20,7 +20,7 @@
 	dh_testroot
 	test -e Makefile && $(MAKE) clean || true
 	rm -f Makefile
-	rm -f config.cache config.h config.log config.status
+	rm -f config.cache config.h config.log config.status confdefs.h
 	rm -f libmissing/Makefile libopie/Makefile
 	rm -f build-stamp install-stamp
 	dh_clean

signature.asc
Description: OpenPGP digital signature

Bug#511582: #511582: updated patch, also fixes lintian error (and a few lintian warnings)

Reply via email to