On Fri, 26 Jul 2019 16:35:49 -0300, "Adam D. Barratt"
<adam@adam-barratt.org.uk> wrote:
> On 2019-07-13 15:52, Stephen Kitt wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: stretch
>
> I assumed you meant buster here and fixed that up.
Ah, yes, thanks!
> > Would it be possible to consider a stable update to gcab 1.2-3 (or its
> > equivalent as a stable upload)? It fixes a data corruption bug,
> > #913487; that’s the only change between 1.2-2, which is in Buster, and
> > 1.2-3, which is in Bullseye. The debdiff is as follows:
> >
> > diff -Nru gcab-1.2/debian/changelog gcab-1.2/debian/changelog
> > --- gcab-1.2/debian/changelog 2018-12-22 12:37:31.000000000 +0100
> > +++ gcab-1.2/debian/changelog 2019-07-06 10:18:07.000000000 +0200
> > @@ -1,3 +1,10 @@
> > +gcab (1.2-3) unstable; urgency=medium
>
> While this is probably fine, please could we have a debdiff versioned as
> 1.2-2+deb10u1 (or 1.2-3~deb10u1 if you prefer and it is exactly the same
> content as -3), using a changelog distribution of "buster" and built /
> prepared on buster?
Here goes:
diff -Nru gcab-1.2/debian/changelog gcab-1.2/debian/changelog
--- gcab-1.2/debian/changelog 2018-12-22 12:37:31.000000000 +0100
+++ gcab-1.2/debian/changelog 2019-08-23 21:30:08.000000000 +0200
@@ -1,3 +1,16 @@
+gcab (1.2-3~deb10u1) buster; urgency=medium
+
+ * Rebuild for Buster.
+
+ -- Stephen Kitt <skitt@debian.org> Fri, 23 Aug 2019 21:30:08 +0200
+
+gcab (1.2-3) unstable; urgency=medium
+
+ * Apply upstream patch to fix corruption when extracting.
+ Closes: #931487. LP: #1835589.
+
+ -- Stephen Kitt <skitt@debian.org> Sat, 06 Jul 2019 10:18:07 +0200
+
gcab (1.2-2) unstable; urgency=medium
* Avoid needing PATH_MAX, so we can build on Hurd. Closes: #888640;
diff -Nru gcab-1.2/debian/patches/overflow.patch gcab-1.2/debian/patches/overflow.patch
--- gcab-1.2/debian/patches/overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ gcab-1.2/debian/patches/overflow.patch 2019-07-06 10:16:47.000000000 +0200
@@ -0,0 +1,44 @@
+commit 5619f4cd2ca3108c8dea17ba656b5ce44a60ca29
+Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Date: Fri Jan 11 19:42:40 2019 +0400
+
+ Revert "decomp: fix gcc warning strict-overflow"
+
+ The warning doesn't happen with current build-sys.
+
+ The overlapping behaviour is undefined with memcpy. memmove doesn't
+ have the same semantic either than the loop. Let's revert!
+
+ Fixes:
+ https://gitlab.gnome.org/GNOME/gcab/issues/12
+
+ This reverts commit e48074952743f53d8ac529d4debc421e7e0f6937.
+
+ Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+diff --git a/libgcab/decomp.c b/libgcab/decomp.c
+index 64d97f8..0c2b184 100644
+--- a/libgcab/decomp.c
++++ b/libgcab/decomp.c
+@@ -1015,9 +1015,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state *decomp_state) {
+ window_posn += match_length;
+
+ /* copy match data - no worries about destination wraps */
+- memcpy(rundest, runsrc, match_length);
+- rundest += match_length;
+- runsrc += match_length;
++ while (match_length-- > 0) *rundest++ = *runsrc++;
+ }
+ }
+ break;
+@@ -1106,9 +1104,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state *decomp_state) {
+ window_posn += match_length;
+
+ /* copy match data - no worries about destination wraps */
+- memcpy(rundest, runsrc, match_length);
+- rundest += match_length;
+- runsrc += match_length;
++ while (match_length-- > 0) *rundest++ = *runsrc++;
+ }
+ }
+ break;
diff -Nru gcab-1.2/debian/patches/series gcab-1.2/debian/patches/series
--- gcab-1.2/debian/patches/series 2018-12-22 12:37:31.000000000 +0100
+++ gcab-1.2/debian/patches/series 2019-07-06 10:17:15.000000000 +0200
@@ -2,3 +2,4 @@
zalloc_integer_overflow.patch
no-git-version.patch
do-not-use-path-max.patch
+overflow.patch
Regards,
Stephen
Attachment:
pgpYuuBfT5Xfm.pgp
Description: OpenPGP digital signature