Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I would like to update xarchiver in Jessie. It was discovered that
data loss could occur when an archive name contained shell
metacharacters. [1]
Please find attached the debdiff.
Regards,
Markus
[1] https://bugs.debian.org/862593
diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog
--- xarchiver-0.5.4/debian/changelog 2016-05-15 00:05:35.000000000 +0200
+++ xarchiver-0.5.4/debian/changelog 2017-06-02 10:29:41.000000000 +0200
@@ -1,3 +1,15 @@
+xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium
+
+ [ Chris Lamb ]
+ * Fix data-loss issue where adding files to a tar-based archive removed all
+ existing content when the target filename included shell metacharacters.
+ The test to see whether it already existed to determine whether to create
+ a new archive or simply add a new file incorrectly used an escaped path.
+ Thanks to Nikolaus Rath for the report and Chris Lamb for the patch.
+ (Closes: #862593)
+
+ -- Markus Koschany <apo@debian.org> Fri, 02 Jun 2017 10:29:41 +0200
+
xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium
* Add cancel-extraction-crash.patch.
diff -Nru xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch
--- xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 1970-01-01 01:00:00.000000000 +0100
+++ xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 2017-06-02 10:29:41.000000000 +0200
@@ -0,0 +1,61 @@
+Description: Pass unescaped filenames to g_file_test
+Author: Chris Lamb <lamby@debian.org>
+Last-Update: 2017-05-19
+Debian-Bug: #862593
+
+--- xarchiver-0.5.4.orig/src/tar.c
++++ xarchiver-0.5.4/src/tar.c
+@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GStri
+ switch (archive->type)
+ {
+ case XARCHIVETYPE_TAR:
+- if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS))
++ if ( g_file_test (archive->path,G_FILE_TEST_EXISTS))
+ command = g_strconcat (tar, " ",
+ archive->add_recurse ? "" : "--no-recursion ",
+ archive->remove_files ? "--remove-files " : "",
+@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GStri
+ break;
+
+ case XARCHIVETYPE_TAR_BZ2:
+- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ else
+ command = g_strconcat (tar, " ",
+@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GStri
+ break;
+
+ case XARCHIVETYPE_TAR_GZ:
+- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ else
+ command = g_strconcat (tar, " ",
+@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GStri
+ break;
+
+ case XARCHIVETYPE_TAR_LZMA:
+- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ else
+ command = g_strconcat (tar, " ",
+@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GStri
+ break;
+
+ case XARCHIVETYPE_TAR_XZ:
+- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ else
+ command = g_strconcat (tar, " ",
+@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GStri
+ break;
+
+ case XARCHIVETYPE_TAR_LZOP:
+- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ else
+ command = g_strconcat (tar, " ",
diff -Nru xarchiver-0.5.4/debian/patches/series xarchiver-0.5.4/debian/patches/series
--- xarchiver-0.5.4/debian/patches/series 2016-05-15 00:05:35.000000000 +0200
+++ xarchiver-0.5.4/debian/patches/series 2017-06-02 10:29:41.000000000 +0200
@@ -1,3 +1,4 @@
desktop-file.patch
encrypted-7z-archives.patch
cancel-extraction-crash.patch
+pass-unescaped-filenames-to-g_file_test.patch
Reply to: