Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
From: Markus Koschany <apo@debian.org>
Date: Fri, 02 Jun 2017 10:42:55 +0200
Message-id: <[🔎] 149639297592.25875.2198579201756529597.reportbug@conan>
Reply-to: Markus Koschany <apo@debian.org>, 863953@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I would like to update xarchiver in Jessie. It was discovered that
data loss could occur when an archive name contained shell
metacharacters. [1]

Please find attached the debdiff.

Regards,

Markus


[1] https://bugs.debian.org/862593

diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog
--- xarchiver-0.5.4/debian/changelog	2016-05-15 00:05:35.000000000 +0200
+++ xarchiver-0.5.4/debian/changelog	2017-06-02 10:29:41.000000000 +0200
@@ -1,3 +1,15 @@
+xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium
+
+  [ Chris Lamb ]
+  * Fix data-loss issue where adding files to a tar-based archive removed all
+    existing content when the target filename included shell metacharacters.
+    The test to see whether it already existed to determine whether to create
+    a new archive or simply add a new file incorrectly used an escaped path.
+    Thanks to Nikolaus Rath for the report and Chris Lamb for the patch.
+    (Closes: #862593)
+
+ -- Markus Koschany <apo@debian.org>  Fri, 02 Jun 2017 10:29:41 +0200
+
 xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium
 
   * Add cancel-extraction-crash.patch.
diff -Nru xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch
--- xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch	1970-01-01 01:00:00.000000000 +0100
+++ xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch	2017-06-02 10:29:41.000000000 +0200
@@ -0,0 +1,61 @@
+Description: Pass unescaped filenames to g_file_test
+Author: Chris Lamb <lamby@debian.org>
+Last-Update: 2017-05-19
+Debian-Bug: #862593
+
+--- xarchiver-0.5.4.orig/src/tar.c
++++ xarchiver-0.5.4/src/tar.c
+@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GStri
+ 	switch (archive->type)
+ 	{
+ 		case XARCHIVETYPE_TAR:
+-		if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS))
++		if ( g_file_test (archive->path,G_FILE_TEST_EXISTS))
+ 			command = g_strconcat (tar, " ",
+ 									archive->add_recurse ? "" : "--no-recursion ",
+ 									archive->remove_files ? "--remove-files " : "",
+@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GStri
+ 		break;
+ 
+ 		case XARCHIVETYPE_TAR_BZ2:
+-		if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++		if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ 			xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ 		else
+ 			command = g_strconcat (tar, " ",
+@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GStri
+ 		break;
+ 
+ 		case XARCHIVETYPE_TAR_GZ:
+-		if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++		if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ 			xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ 		else
+ 			command = g_strconcat (tar, " ",
+@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GStri
+ 		break;
+ 		
+ 		case XARCHIVETYPE_TAR_LZMA:
+-		if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++		if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ 			xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ 		else
+ 			command = g_strconcat (tar, " ",
+@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GStri
+ 		break;
+ 		
+ 		case XARCHIVETYPE_TAR_XZ:
+-		if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++		if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ 			xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ 		else
+ 			command = g_strconcat (tar, " ",
+@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GStri
+ 		break;
+ 		
+ 		case XARCHIVETYPE_TAR_LZOP:
+-		if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) )
++		if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+ 			xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1);
+ 		else
+ 			command = g_strconcat (tar, " ",
diff -Nru xarchiver-0.5.4/debian/patches/series xarchiver-0.5.4/debian/patches/series
--- xarchiver-0.5.4/debian/patches/series	2016-05-15 00:05:35.000000000 +0200
+++ xarchiver-0.5.4/debian/patches/series	2017-06-02 10:29:41.000000000 +0200
@@ -1,3 +1,4 @@
 desktop-file.patch
 encrypted-7z-archives.patch
 cancel-extraction-crash.patch
+pass-unescaped-filenames-to-g_file_test.patch

Reply to:

Follow-Ups:
- Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
  - From: Cyril Brulebois <kibi@debian.org>
- Processed: Re: Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#863915: unblock: webkit2gtk/2.16.3-2
Next by Date: Bug#863956: unblock: golang-1.7/1.7.6-1, golang-1.8/1.8.3-1
Previous by thread: Bug#863948: marked as done (unblock: magnum/3.1.1-5)
Next by thread: Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1
Index(es):
- Date
- Thread