Hello community, here is the log from the commit of package arj for openSUSE:Factory checked in at 2020-03-26 23:32:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/arj (Old) and /work/SRC/openSUSE:Factory/.arj.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arj" Thu Mar 26 23:32:53 2020 rev:4 rq:788442 version:3.10.22 Changes: -------- --- /work/SRC/openSUSE:Factory/arj/arj.changes 2019-11-07 23:16:10.164511309 +0100 +++ /work/SRC/openSUSE:Factory/.arj.new.3160/arj.changes 2020-03-26 23:33:13.846774101 +0100 @@ -1,0 +2,6 @@ +Wed Mar 25 20:50:54 UTC 2020 - Bernhard Wiedemann <bwiedem...@suse.com> + +- Add arj-3.10.22-fixstrcpy.patch to fix data corruption + and make package builds reproducible (boo#1100677) + +------------------------------------------------------------------- New: ---- arj-3.10.22-fixstrcpy.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ arj.spec ++++++ --- /var/tmp/diff_new_pack.uYxSKD/_old 2020-03-26 23:33:14.310774268 +0100 +++ /var/tmp/diff_new_pack.uYxSKD/_new 2020-03-26 23:33:14.314774269 +0100 @@ -33,6 +33,8 @@ Patch3: arj-3.10.22-quotes.patch # PATCH-FIX-OPENSUSE -- make build reproducible Patch4: arj-3.10.22-reproducible.patch +# PATCH-FIX-UPSTREAM https://sourceforge.net/p/arj/git/merge-requests/1/ +Patch5: arj-3.10.22-fixstrcpy.patch BuildRequires: autoconf %description @@ -49,6 +51,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 for i in debian/patches/00*.patch; do patch -p1 < $i ++++++ arj-3.10.22-fixstrcpy.patch ++++++ Author: Bernhard M. Wiedemann <bwiedem...@suse.de> Date: 2020-03-25 reproducible builds showed differences in strings produced from msgbind depending on CPU-type valgrind --tool=memcheck helped to locate two relevant calls to strcpy on overlapping regions Index: arj-3.10.22/arjdata.c =================================================================== --- arj-3.10.22.orig/arjdata.c +++ arj-3.10.22/arjdata.c @@ -232,7 +232,7 @@ char *expand_tags(char *str, int limit) { if(*(p+1)==TAG_CHAR) { - strcpy(p, p+1); + safe_strcpy(p, p+1); p++; } else if(*(p+1)==TAG_SPECIAL_BEGIN&&(et=strchr(p+3, TAG_SPECIAL_END))!=NULL) Index: arj-3.10.22/msgbind.c =================================================================== --- arj-3.10.22.orig/msgbind.c +++ arj-3.10.22/msgbind.c @@ -21,6 +21,12 @@ #include <signal.h> #include <time.h> +static void safe_strcpy(char *dest, const char *src) +{ + memmove(dest, src, strlen(src) + 1); +} + + #define MSG_SIZE 32752 /* Constant msg buffer size */ #define POOL_SIZE 51200 /* Maximum size of variable-len buf */ #define POOL_R_INC 1024 /* Realloc incrementation */ @@ -586,7 +586,7 @@ int main(int argc, char **argv) } strcat(pool[tpool].data, msgname); strcat(pool[tpool].data, ", "); - strcpy(msg_buffer, msg_buffer+1); + safe_strcpy(msg_buffer, msg_buffer+1); buf_len=strlen(msg_buffer); msg_buffer[--buf_len]='\0'; patch_string(msg_buffer);
