Bug#710659: pu: package pristine-tar/1.25+deb7u1

To: submit@bugs.debian.org
Subject: Bug#710659: pu: package pristine-tar/1.25+deb7u1
From: Ivo De Decker <ivo.dedecker@ugent.be>
Date: Sat, 1 Jun 2013 12:48:26 +0200
Message-id: <20130601104825.GA20694@ugent.be>
Reply-to: Ivo De Decker <ivo.dedecker@ugent.be>, 710659@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu


Hi,

The version of pristine-tar in jessie creates files which cannot be
used with the version of pristine-tar in wheezy. This means that wheezy users
cannot use a repository which stores an orig.tar.xz created with pristine-tar
on jessie to recreate the orig.tar.xz. This is bug #707820.

The newer version of pristine-xz specifies additional options to xz in the
pristine-tar file. These options are passed to xz when the pristine-xz tries
to recreate the original file. To avoid potentially malicious pristine-xz
files, pristine-xz contains a whitelist of known options which are passed
through to xz. Files with other xz options are not accepted. The attached
patch adds the options used by the newer version to the whitelist for
pristine-xz in wheezy.

These options are on the whitelist for pristine-tar/1.28 (in jessie and sid).

With this patch, it is possible to recreate the orig.tar.xz on a wheezy
system.

Would this change be acceptable for wheezy?

Thanks in advance,

Ivo

diff -Nru pristine-tar-1.25/debian/changelog pristine-tar-1.25+deb7u1/debian/changelog
--- pristine-tar-1.25/debian/changelog	2012-06-12 17:45:51.000000000 +0200
+++ pristine-tar-1.25+deb7u1/debian/changelog	2013-06-01 12:22:54.000000000 +0200
@@ -1,3 +1,11 @@
+pristine-tar (1.25+deb7u1) wheezy; urgency=low
+
+  * Non-maintainer upload with maintainer approval.
+  * pristine-xz: Update list of allowed parameters for wheezy to support files
+    created with newer versions (in jessie and sid). Closes: #707820
+
+ -- Ivo De Decker <ivo.dedecker@ugent.be>  Sat, 01 Jun 2013 12:22:22 +0200
+
 pristine-tar (1.25) unstable; urgency=low
 
   * Remove unused fts.h include. Closes: #675367
diff -Nru pristine-tar-1.25/pristine-xz pristine-tar-1.25+deb7u1/pristine-xz
--- pristine-tar-1.25/pristine-xz	2012-06-12 17:44:20.000000000 +0200
+++ pristine-tar-1.25+deb7u1/pristine-xz	2013-06-01 12:22:32.000000000 +0200
@@ -190,8 +190,11 @@
 
 		next if $param=~/^(-[0-9]e?)$/;
 		next if $param eq '-z';
+		next if $param eq '--check=none';
 		next if $param eq '--check=crc32';
+		next if $param eq '--check=crc64';
 		next if $param eq '--check=sha256';
+		next if $param=~/^(--block-list=[0-9,]+)$/;
 		die "paranoia check failed on params from delta (@params)";
 	}
 	@params=split(' ', $delta->{params});

Reply to:

Follow-Ups:
- Processed: Re: Bug#710659: pu: package pristine-tar/1.25+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#710659: pu: package pristine-tar/1.25+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#710659: pu: package pristine-tar/1.25+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Updating /etc/debian_version and related files
Next by Date: Re: Updating /etc/debian_version and related files
Previous by thread: Processed: Re: Bug#710589: pu: packages libiodbc2/3.52.7-3 and psqlodbc/1:09.01.0200-1
Next by thread: Processed: Re: Bug#710659: pu: package pristine-tar/1.25+deb7u1
Index(es):
- Date
- Thread