Bug#846948: jessie-pu: package file/1:5.22+15-2+deb8u3

2016-12-14 Thread Adam D. Barratt 
Control: tags -1 + pending

On Tue, 2016-12-13 at 19:16 +0100, Christoph Biedl wrote:
> Adam D. Barratt wrote...
> 
> > Please go ahead.
> 
> Thanks, now uploaded.

Flagged for acceptance; thanks.

Regards,

Adam

Bug#846948: jessie-pu: package file/1:5.22+15-2+deb8u3

2016-12-13 Thread Christoph Biedl 
Adam D. Barratt wrote...

> Please go ahead.

Thanks, now uploaded.

Christoph


signature.asc
Description: Digital signature

Bug#846948: jessie-pu: package file/1:5.22+15-2+deb8u3

2016-12-10 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2016-12-04 at 15:56 +0100, Christoph Biedl wrote:
> A memory leak was found in in libmagic's (src:file) loader of magic
> files, appearently independently by Shi Yin in PR/569[1] and Arnaud
> Quette in #840754[2]. This was fixed upstream in version 5.29 which is
> in testing and unstable (as 1:5.29-1), oldstable/wheezy doesn't seem to
> have this problem.

Please go ahead.

Regards,

Adam

Bug#846948: jessie-pu: package file/1:5.22+15-2+deb8u3

2016-12-04 Thread Christoph Biedl 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hello release team,

A memory leak was found in in libmagic's (src:file) loader of magic
files, appearently independently by Shi Yin in PR/569[1] and Arnaud
Quette in #840754[2]. This was fixed upstream in version 5.29 which is
in testing and unstable (as 1:5.29-1), oldstable/wheezy doesn't seem to
have this problem.

For stable/jessie I'd like to handle this in the next point release.

The actual fix is commit FILE5_28-42-g10ee4ec[3] where commit
FILE5_24-31-g3aa35aa[4] is needed as a prerequisite. I've dropped a
hunk from that fix which AFAICS is not relevant for Debian and would
otherwise require the inclusion FILE5_25-3-gb0ccffd[5] as another
prerequisite: According to its description, that third commit is needed
on systems without mmap only.

Find attached:

* A debdiff for 1:5.22+15-2+deb8u3
* A commulative patch about the code changes to ease review.

After applying the patch, the valgrind check as described in the BTS
no longer reports leaks.

Regards,

Christoph

[1] https://bugs.gw.com/view.php?id=569
[2] https://bugs.debian.org/840754
[3] https://github.com/file/file/commit/FILE5_28-42-g10ee4ec
[4] https://github.com/file/file/commit/FILE5_24-31-g3aa35aa
[5] https://github.com/file/file/commit/FILE5_25-3-gb0ccffd
diff -Nru file-5.22+15/debian/changelog file-5.22+15/debian/changelog
--- file-5.22+15/debian/changelog   2016-05-09 08:23:30.0 +0200
+++ file-5.22+15/debian/changelog   2016-12-04 10:00:07.0 +0100
@@ -1,3 +1,9 @@
+file (1:5.22+15-2+deb8u3) stable; urgency=medium
+
+  * Fix memory leak in magic loader. Closes: #840754
+
+ -- Christoph Biedl   Sun, 04 Dec 2016 
10:00:07 +0100
+
 file (1:5.22+15-2+deb8u2) stable; urgency=high
 
   * Fix CVE-2015-8865:
diff -Nru 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch
 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch
--- 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch
 1970-01-01 01:00:00.0 +0100
+++ 
file-5.22+15/debian/patches/cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch
 2016-12-02 00:00:46.0 +0100
@@ -0,0 +1,32 @@
+Subject: Don't leak memory when loading non-compiled files
+Origin: FILE5_24-31-g3aa35aa
+Upstream-Author: Christos Zoulas 
+Date: Thu Sep 10 13:59:47 2015 +
+
+--- a/src/apprentice.c
 b/src/apprentice.c
+@@ -538,6 +538,7 @@
+ private void
+ apprentice_unmap(struct magic_map *map)
+ {
++  size_t i;
+   if (map == NULL)
+   return;
+ 
+@@ -550,6 +551,8 @@
+ #endif
+   case MAP_TYPE_MALLOC:
+   free(map->p);
++  for (i = 0; i < MAGIC_SETS; i++)
++  free(map->magic[i]);
+   break;
+   case MAP_TYPE_USER:
+   break;
+@@ -1285,6 +1288,7 @@
+   file_oomem(ms, sizeof(*map));
+   return NULL;
+   }
++  map->type = MAP_TYPE_MALLOC;
+ 
+   /* print silly verbose header for USG compat. */
+   if (action == FILE_CHECK)
diff -Nru 
file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch
 
file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch
--- 
file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch
   1970-01-01 01:00:00.0 +0100
+++ 
file-5.22+15/debian/patches/cherry-pick.FILE5_28-42-g10ee4ec.pr-569-shi-yin-fix-memory-leak.patch
   2016-12-04 09:36:35.0 +0100
@@ -0,0 +1,22 @@
+Subject: PR/569: Shi Yin: Fix memory leak
+Origin: FILE5_28-42-g10ee4ec
+Upstream-Author: Christos Zoulas 
+Date: Sun Sep 11 13:53:02 2016 +
+Comment: Only relevant parts of that commit were used
+
+--- a/src/apprentice.c
 b/src/apprentice.c
+@@ -404,11 +404,11 @@
+ {
+   struct mlist *ml;
+ 
+-  mlp->map = idx == 0 ? map : NULL;
++  mlp->map = NULL;
+   if ((ml = CAST(struct mlist *, malloc(sizeof(*ml == NULL)
+   return -1;
+ 
+-  ml->map = NULL;
++  ml->map = idx == 0 ? map : NULL;
+   ml->magic = map->magic[idx];
+   ml->nmagic = map->nmagic[idx];
+ 
diff -Nru file-5.22+15/debian/patches/series file-5.22+15/debian/patches/series
--- file-5.22+15/debian/patches/series  2016-05-09 08:10:53.0 +0200
+++ file-5.22+15/debian/patches/series  2016-12-04 09:50:30.0 +0100
@@ -13,3 +13,5 @@
 cherry-pick.FILE5_24-22-g27b4e34.parameter-1.patch
 cherry-pick.FILE5_24-23-g4ddb783.parameter-2.patch
 CVE-2015-8865.6713ca4.patch
+cherry-pick.FILE5_24-31-g3aa35aa.dont-leak-memory-when-loading-non-compiled-files.patch