Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[pali]

On Saturday 25 February 2017 22:45:25 gregor herrmann wrote:
> On Sat, 25 Feb 2017 01:18:04 +0100, p...@cpan.org wrote:
> > But if you are fixing "regressions" from older versions, consider apply 
> > also fix for zerofill.
> 
> Since Debian is in deep freeze, I'm just trying to fix reported RC
> bugs. If you think the mentioned zerofill bug is worth having it in
> stretch, please file a bug with the appropriate severity and backport
> the fix to apply against 4.041 after applying the float conversion
> patch (or before, then the conversion patch needs changes).

I created debian bug 856250, but I do not know which severity or flags
should be there. If you decide to include fix for that bug too, I can
prepare backported patch...

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Ivo De Decker]

Hi,

On Sun, Feb 26, 2017 at 09:49:44PM +0100, gregor herrmann wrote:
> > So from my point of view, as it is two days until the 1st of March right
> > now (at least in my timezone) we need to get a fixed version of
> > libdbd-mysql-perl in unstable by tomorrow at the latest. Is this going
> > to be possible?
> 
> Sure, I just uploaded 4.041-2 to unstable.

Unblocked libdbd-mysql-perl.

> Thanks for handling all this stuff!

Cheers,

Ivo

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[gregor herrmann]

On Mon, 27 Feb 2017 07:37:53 +1100, Brian May wrote:

> Brian May  writes:
> > amavisd-new has already been removed from testing. I think the chances
> > of getting it back in are remote - however I have asked the release team
> > - see #856067.
> 
> The release gods^h^h^h^h^h team has spoken. They say they will accept
> amavisd-new back in the archive:
> 
> "Not in a point release, but I'll cut you a deal: if the underlying bug in
> libdbd-mysql-perl is fixed (but *without* the additional fixes Pali
> mentions), and an unblock bug opened before 1st March, I'll unblock
> amavisd-new and amavisd-milter for stretch."
> 
> "(no precedents, subject to future developments, blah, blah, etc, etc)."

Cool.
 
> So from my point of view, as it is two days until the 1st of March right
> now (at least in my timezone) we need to get a fixed version of
> libdbd-mysql-perl in unstable by tomorrow at the latest. Is this going
> to be possible?

Sure, I just uploaded 4.041-2 to unstable.

Thanks for handling all this stuff!


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Donovan: Living for the lovelight


signature.asc
Description: Digital Signature

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Brian May]

Brian May  writes:

> amavisd-new has already been removed from testing. I think the chances
> of getting it back in are remote - however I have asked the release team
> - see #856067.

The release gods^h^h^h^h^h team has spoken. They say they will accept
amavisd-new back in the archive:

"Not in a point release, but I'll cut you a deal: if the underlying bug in
libdbd-mysql-perl is fixed (but *without* the additional fixes Pali
mentions), and an unblock bug opened before 1st March, I'll unblock
amavisd-new and amavisd-milter for stretch."

"(no precedents, subject to future developments, blah, blah, etc, etc)."

So from my point of view, as it is two days until the 1st of March right
now (at least in my timezone) we need to get a fixed version of
libdbd-mysql-perl in unstable by tomorrow at the latest. Is this going
to be possible?

Thanks.
-- 
Brian May 

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Brian May]

gregor herrmann  writes:

> Brian, do you have a chance to test this version against amavisd-new?

I am not able to test this myself. If however you can make a version
available for testing (experimental maybe?) I can ask people to test it.

> Since Debian is in deep freeze, I'm just trying to fix reported RC
> bugs. If you think the mentioned zerofill bug is worth having it in
> stretch, please file a bug with the appropriate severity and backport
> the fix to apply against 4.041 after applying the float conversion
> patch (or before, then the conversion patch needs changes).

Just some extra information I neglected to mention before:

amavisd-new has already been removed from testing. I think the chances
of getting it back in are remote - however I have asked the release team
- see #856067.

Even if amavisd-new doesn't get included, if this bug gets fixed it
might help distribute amavisd-new some other way (maybe outside Debian).
-- 
Brian May 

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[gregor herrmann]

On Sat, 25 Feb 2017 01:18:04 +0100, p...@cpan.org wrote:

> > > Upstream patch:
> > > https://github.com/perl5-dbi/DBD-mysql/pull/102
> > 
> > This patch doesn't apply against 4.041-1 in Debian (or 4.041
> > upstream), and neither against the master branch in the upstream repo
> > (so unless I'm missing something, this pull request won't work
> > as-is),
> 
> That patch in github PR 102 applies cleanly on DBD-mysql master branch. 
> It is based on top of master branch. Patch is not merged yet.

I probably hadn't updated one of the git trees, sorry for that.
 
> > Pali, could you perhaps come up with a patch that applies against
> > 4.041?
> This one is for libdbd-mysql-perl_4.041-1.dsc:

Thanks very much!
Patch added to our git repo.

Brian, do you have a chance to test this version against amavisd-new?
 
> But if you are fixing "regressions" from older versions, consider apply 
> also fix for zerofill.

Since Debian is in deep freeze, I'm just trying to fix reported RC
bugs. If you think the mentioned zerofill bug is worth having it in
stretch, please file a bug with the appropriate severity and backport
the fix to apply against 4.041 after applying the float conversion
patch (or before, then the conversion patch needs changes).
 
Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Sinéad O'Connor: All Apologies


signature.asc
Description: Digital Signature

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[pali]

Hi!

On Saturday 25 February 2017 00:41:31 gregor herrmann wrote:
> On Sat, 25 Feb 2017 09:29:23 +1100, Brian May wrote:
> > Package: libdbd-mysql-perl
> > Version: 4.041-1
> > Severity: grave
> > Justification: causes non-serious data loss
> > 
> > When reading floats from mysql, they are always read as 0.
> 
> Thanks for the bug report and all the information!
> 
> > Upstream patch:
> > https://github.com/perl5-dbi/DBD-mysql/pull/102
> 
> This patch doesn't apply against 4.041-1 in Debian (or 4.041
> upstream), and neither against the master branch in the upstream repo
> (so unless I'm missing something, this pull request won't work
> as-is),

That patch in github PR 102 applies cleanly on DBD-mysql master branch. 
It is based on top of master branch. Patch is not merged yet.

Note that nobody was able to create any test which cause this problem 
yet. The only one affected application (which was reported) is amavis. 
Seems unbelievable but it is truth.

> as Pali's master has been massively rewritten since then. [0]

Yes, there are more bug fixes in DBD-mysql. E.g. zerofill support fixed 
in commit dc4d40b1df2f05b9e23105ab6d7b98c77eb318de which worked for 10 
years until 4.040: https://rt.cpan.org/Public/Bug/Display.html?id=118977 
(even it was not explicitly supported).

Or fixed UTF-8 support which was broken for a long time: 
https://github.com/perl5-dbi/DBD-mysql/pull/67

> From looking at the comments in the diff I could possibly find the
> places in the shipped dbdimp.c to make this build somehow, but I'm
> rather reluctant to do this blindly.

Replace "(void) SvNV(sv); SvNOK_only(sv);" by "sv_setnv(sv, SvNV(sv));". 
And similarly also for IV and UV.

> Pali, could you perhaps come up with a patch that applies against
> 4.041?

This one is for libdbd-mysql-perl_4.041-1.dsc:

--- dbdimp.c
+++ dbdimp.c
@@ -4250,8 +4250,7 @@ process:
 switch (mysql_to_perl_type(fields[i].type)) {
 case MYSQL_TYPE_DOUBLE:
   /* Coerce to dobule and set scalar as NV */
-  (void) SvNV(sv);
-  SvNOK_only(sv);
+  sv_setnv(sv, SvNV(sv));
   break;
 
 case MYSQL_TYPE_LONG:
@@ -4259,13 +4258,11 @@ process:
   /* Coerce to integer and set scalar as UV resp. IV */
   if (fields[i].flags & UNSIGNED_FLAG)
   {
-(void) SvUV(sv);
-SvIOK_only_UV(sv);
+sv_setuv(sv, SvUV(sv));
   }
   else
   {
-(void) SvIV(sv);
-SvIOK_only(sv);
+sv_setiv(sv, SvIV(sv));
   }
   break;
 

But if you are fixing "regressions" from older versions, consider apply 
also fix for zerofill.

> 
> Cheers,
> gregor
> 
> [0] especially caea0b774028650c0cbd9d8f9c4a0b47831116df changes the
> variable types in the switch/case construct

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[gregor herrmann]

On Sat, 25 Feb 2017 09:29:23 +1100, Brian May wrote:

> Package: libdbd-mysql-perl
> Version: 4.041-1
> Severity: grave
> Justification: causes non-serious data loss
> 
> When reading floats from mysql, they are always read as 0.

Thanks for the bug report and all the information!
 
> Upstream patch:
> https://github.com/perl5-dbi/DBD-mysql/pull/102

This patch doesn't apply against 4.041-1 in Debian (or 4.041
upstream), and neither against the master branch in the upstream repo
(so unless I'm missing something, this pull request won't work as-is), as
Pali's master has been massively rewritten since then. [0]

From looking at the comments in the diff I could possibly find the
places in the shipped dbdimp.c to make this build somehow, but I'm
rather reluctant to do this blindly.

Pali, could you perhaps come up with a patch that applies against 4.041?


Cheers,
gregor

[0] especially caea0b774028650c0cbd9d8f9c4a0b47831116df changes the
variable types in the switch/case construct

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Led Zeppelin: Kashmir


signature.asc
Description: Digital Signature

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Brian May]

Brian May  writes:

> Possibly only happens in Perl's tainted mode; I have asked for
> confirmation.

Actually is a fair bit more complicated then that. See:
https://github.com/perl5-dbi/DBD-mysql/issues/78#issuecomment-282425847

The fix is simple. Understanding what the bug breaks is a lot more
complicated.
-- 
Brian May 

Bug#856064: libdbd-mysql-perl: reads of floats currupted as 0

[Brian May]

Package: libdbd-mysql-perl
Version: 4.041-1
Severity: grave
Justification: causes non-serious data loss

When reading floats from mysql, they are always read as 0.

As values are currupted and as it is the cause of a grave bug in another
package, I have set this to grave.

Possibly only happens in Perl's tainted mode; I have asked for
confirmation.

Upstream bug report:
https://github.com/perl5-dbi/DBD-mysql/issues/78

Upstream patch:
https://github.com/perl5-dbi/DBD-mysql/pull/102

This is the cause of a RC bug against amavisd-new:
https://bugs.debian.org/847311

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 
'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libdbd-mysql-perl depends on:
ii  libc6 2.24-9
ii  libdbi-perl [perl-dbdabi-94]  1.636-1+b1
ii  libmariadbclient1810.1.21-5
ii  perl  5.24.1-1
ii  perl-base [perlapi-5.24.1]5.24.1-1

libdbd-mysql-perl recommends no packages.

libdbd-mysql-perl suggests no packages.

-- no debconf information