Bug#932009: buster-pu: package gcab/1.2-3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
Would it be possible to consider a stable update to gcab 1.2-3 (or its
equivalent as a stable upload)? It fixes a data corruption bug,
#913487; that’s the only change between 1.2-2, which is in Buster, and
1.2-3, which is in Bullseye. The debdiff is as follows:
diff -Nru gcab-1.2/debian/changelog gcab-1.2/debian/changelog
--- gcab-1.2/debian/changelog 2018-12-22 12:37:31.000000000 +0100
+++ gcab-1.2/debian/changelog 2019-07-06 10:18:07.000000000 +0200
@@ -1,3 +1,10 @@
+gcab (1.2-3) unstable; urgency=medium
+
+ * Apply upstream patch to fix corruption when extracting.
+ Closes: #931487. LP: #1835589.
+
+ -- Stephen Kitt <skitt@debian.org> Sat, 06 Jul 2019 10:18:07 +0200
+
gcab (1.2-2) unstable; urgency=medium
* Avoid needing PATH_MAX, so we can build on Hurd. Closes: #888640;
diff -Nru gcab-1.2/debian/patches/overflow.patch gcab-1.2/debian/patches/overflow.patch
--- gcab-1.2/debian/patches/overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ gcab-1.2/debian/patches/overflow.patch 2019-07-06 10:16:47.000000000 +0200
@@ -0,0 +1,44 @@
+commit 5619f4cd2ca3108c8dea17ba656b5ce44a60ca29
+Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Date: Fri Jan 11 19:42:40 2019 +0400
+
+ Revert "decomp: fix gcc warning strict-overflow"
+
+ The warning doesn't happen with current build-sys.
+
+ The overlapping behaviour is undefined with memcpy. memmove doesn't
+ have the same semantic either than the loop. Let's revert!
+
+ Fixes:
+ https://gitlab.gnome.org/GNOME/gcab/issues/12
+
+ This reverts commit e48074952743f53d8ac529d4debc421e7e0f6937.
+
+ Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+diff --git a/libgcab/decomp.c b/libgcab/decomp.c
+index 64d97f8..0c2b184 100644
+--- a/libgcab/decomp.c
++++ b/libgcab/decomp.c
+@@ -1015,9 +1015,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state *decomp_state) {
+ window_posn += match_length;
+
+ /* copy match data - no worries about destination wraps */
+- memcpy(rundest, runsrc, match_length);
+- rundest += match_length;
+- runsrc += match_length;
++ while (match_length-- > 0) *rundest++ = *runsrc++;
+ }
+ }
+ break;
+@@ -1106,9 +1104,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state *decomp_state) {
+ window_posn += match_length;
+
+ /* copy match data - no worries about destination wraps */
+- memcpy(rundest, runsrc, match_length);
+- rundest += match_length;
+- runsrc += match_length;
++ while (match_length-- > 0) *rundest++ = *runsrc++;
+ }
+ }
+ break;
diff -Nru gcab-1.2/debian/patches/series gcab-1.2/debian/patches/series
--- gcab-1.2/debian/patches/series 2018-12-22 12:34:22.000000000 +0100
+++ gcab-1.2/debian/patches/series 2019-07-06 10:17:15.000000000 +0200
@@ -2,3 +2,4 @@
zalloc_integer_overflow.patch
no-git-version.patch
do-not-use-path-max.patch
+overflow.patch
Regards,
Stephen
-- System Information:
Debian Release: 10.0
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: