Bug#991841: unblock: perm/0.4.0-6

Tue, 03 Aug 2021 01:27:25 -0700 

control: retitle -1 perm/0.4.0-7

On Tue, 3 Aug 2021 09:39:04 +0200 Sebastian Ramacher <sramac...@debian.org> 
wrote:
>> Control: tags -1 moreinfo
>> +-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
>> ++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
>> + {
>> +     if (caBuf == NULL) {
>> +         ERR;
>> +-        return(NULL);
>> ++        return(-1);
>> +     }
>> +     int iBufSizeMinus1 = iBufSize - 1;
>> +-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
>> ++    int returnV = strlcpy(caBuf, str, iBufSizeMinus1);

> The interesting thing about strlcpy is that you don't have to deal with
> this -1 nonsense and the explicit NUL-termination that follows. In fact,
> this patch now makes every buffer 1 byte smaller. strlcpy copies
> iBufSizeMinus1 - 1 characters in this case. Is that intended?

Aw, crap, no. I got sloppy here. I just did another upload on top of it, to
copy right buffer length, retitled accordingly.
Hopefully this should be fine now.
The debdiff is also attached w/ the version in testing

> I agree that this issue should be fixed, but I'm not sure if it is
> necessary to rush a fix now.

IMO, if this fixed is not merged now, I'll have to push it to next
stable point release, creating more work for everyone, and also passing
in this seemingly RC bug to the first release.
Being a leaf package with a relatively low popcon score, I think it is
not going to do a lot of damage, and I think it
would be really really great if you consider to let this in now, than later.
Upstream is not active, and I do not expect much from them.

Ofcourse, I agree that this creates some last minute noise+work for
the release team and I'm really
sorry about this -- it was discovered just yesterday, and I uploaded
after enough ACKs as soon as I found a relevant workaround.
But I'd be obliged if you consider to let this in.

Nilesh

diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog 2021-08-03 13:17:48.000000000 +0530
@@ -1,3 +1,31 @@
+perm (0.4.0-7) unstable; urgency=medium
+
+  * Team Upload.
+  * d/p/fix-buffer-overflow.patch: Do not reduce buffer size by 1
+
+ -- Nilesh Patra <nil...@debian.org>  Tue, 03 Aug 2021 13:17:48 +0530
+
+perm (0.4.0-6) unstable; urgency=medium
+
+  * Team Upload.
+  [ Shruti Sridhar ]
+  * d/tests/data: Add testdata
+  * d/tests: Add autopkgtest
+  * d/example: Install test data as example
+  * d/docs: Install d/README.* and d/tests/run-unit-test
+    as documents
+  * d/p/hardening.patch: Add CPPFLAGS which helped detect
+    buffer overflow
+  * d/copyright: Test data has been written by Shruti, mentioning
+    them in copyright for the same
+
+  [ Nilesh Patra ]
+  * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+    instead of strncpy in order to fix buffer overflow
+  * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <nil...@debian.org>  Tue, 03 Aug 2021 00:31:10 +0530
+
 perm (0.4.0-5) unstable; urgency=medium
 
   * Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control   2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control   2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
 Uploaders: Andreas Tille <ti...@debian.org>
 Section: science
 Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/med-team/perm
 Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright 2021-08-03 00:41:56.000000000 +0530
@@ -12,6 +12,10 @@
                2014-2017 Andreas Tille <ti...@debian.org>
 License: Apache-2.0
 
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <shruti.sridha...@gmail.com>
+License: Apache-2.0
+
 License: Apache-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs      1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs      2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples  1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples  2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch 
perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 
05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch 2021-08-03 
13:14:38.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid 
buffer overflow
+Author: Nilesh Patra <nil...@debian.org>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+ 
+ TARGETS = perm
+-LIBS = -lm -lstdc++ 
++LIBS = -lm -lstdc++ -lbsd 
+  
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp 
chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp 
SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+     return(true);
+ }
+ 
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+     if (caBuf == NULL) {
+         ERR;
+-        return(NULL);
++        return(-1);
+     }
+     int iBufSizeMinus1 = iBufSize - 1;
+-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++    int returnV = strlcpy(caBuf, str, iBufSize);
+     if (iBufSizeMinus1 >= 0) {
+         caBuf[iBufSizeMinus1] = '\0';
+     } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch 
perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch   2020-11-24 14:40:20.000000000 
+0530
+++ perm-0.4.0/debian/patches/hardening.patch   2021-08-02 17:25:32.000000000 
+0530
@@ -2,14 +2,14 @@
 Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
 Description: Propagate hardening options
 
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install:     all
  
  perm: $(PER_M)
        make clean
 -      $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+      $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++      $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) 
$(CPPFLAGS)
        #$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
  
  tar:  clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series    2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series    2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
 hardening.patch
 spelling.patch
 gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test       1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test       2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+────────────────────────────────────────
+
+This package can be tested by running the provided test:
+
+    sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing 
+────────────────────────────────────────
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package. 
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control     1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control     2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta 
perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta    1970-01-01 05:30:00.000000000 
+0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta    2021-08-02 17:25:32.000000000 
+0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta 
perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta      1970-01-01 05:30:00.000000000 
+0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta      2021-08-02 17:25:32.000000000 
+0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test 
perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test       1970-01-01 05:30:00.000000000 
+0530
+++ perm-0.4.0/debian/tests/run-unit-test       2021-08-03 00:44:59.000000000 
+0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+  AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+  trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam  
+[ -s "out.sam" ] || exit 1
+echo "PASS test"

Attachment: signature.asc
Description: PGP signature

Reply via email to