[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991841: unblock: perm/0.4.0-6

Control: tags -1 moreinfo

On 2021-08-03 11:19:46 +0530, Nilesh Patra wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: nilesh@debian.org, debian-med-packaging@lists.alioth.debian.org
> 
> Please unblock package perm
> 
> [ Reason ]
> An autopkgtest was recently added to perm on its git repository, which
> resulted in uncovering a buffer overflow. Here's the log:
> 
> https://salsa.debian.org/med-team/perm/-/jobs/1788156
> 
> AIUI, this is a security issue and such issues are RC
> 
> [ Impact ]
> The users machine will contain a version of perm which can potentially
> cause a buffer overflow
> 
> [ Tests ]
> Autopkgtests have been added for this release
> 
> [ Risks ]
> Perm is a leaf package, I do not see any risks
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> Some stuff like installing docs in d/docs, or installing autopkgtests in
> d/examples might look redundant, but they are needed to run tests in a
> sane fashion. These changes are not too major, and are rather harmless.
> 
> unblock perm/0.4.0-6

> diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
> --- perm-0.4.0/debian/changelog	2020-11-24 14:40:20.000000000 +0530
> +++ perm-0.4.0/debian/changelog	2021-08-03 00:31:10.000000000 +0530
> @@ -1,3 +1,24 @@
> +perm (0.4.0-6) unstable; urgency=medium
> +
> +  * Team Upload.
> +  [ Shruti Sridhar ]
> +  * d/tests/data: Add testdata
> +  * d/tests: Add autopkgtest
> +  * d/example: Install test data as example
> +  * d/docs: Install d/README.* and d/tests/run-unit-test
> +    as documents
> +  * d/p/hardening.patch: Add CPPFLAGS which helped detect
> +    buffer overflow
> +  * d/copyright: Test data has been written by Shruti, mentioning
> +    them in copyright for the same
> +
> +  [ Nilesh Patra ]
> +  * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
> +    instead of strncpy in order to fix buffer overflow
> +  * d/control: Add B-D on libbsd-dev
> +
> + -- Nilesh Patra <nilesh@debian.org>  Tue, 03 Aug 2021 00:31:10 +0530
> +
>  perm (0.4.0-5) unstable; urgency=medium
>  
>    * Standards-Version: 4.5.1 (routine-update)
> diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
> --- perm-0.4.0/debian/control	2020-11-24 14:40:20.000000000 +0530
> +++ perm-0.4.0/debian/control	2021-08-02 21:22:22.000000000 +0530
> @@ -3,7 +3,7 @@
>  Uploaders: Andreas Tille <tille@debian.org>
>  Section: science
>  Priority: optional
> -Build-Depends: debhelper-compat (= 13)
> +Build-Depends: debhelper-compat (= 13), libbsd-dev
>  Standards-Version: 4.5.1
>  Vcs-Browser: https://salsa.debian.org/med-team/perm
>  Vcs-Git: https://salsa.debian.org/med-team/perm.git
> diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
> --- perm-0.4.0/debian/copyright	2020-11-24 14:40:20.000000000 +0530
> +++ perm-0.4.0/debian/copyright	2021-08-03 00:31:10.000000000 +0530
> @@ -12,6 +12,10 @@
>                 2014-2017 Andreas Tille <tille@debian.org>
>  License: Apache-2.0
>  
> +Files: debian/tests/data/*
> +Copyright: Shruti Sridhar <shruti.sridhar99@gmail.com>
> +License: Apache-2.0
> +
>  License: Apache-2.0
>   Unless required by applicable law or agreed to in writing, software
>   distributed under the License is distributed on an "AS IS" BASIS,
> diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
> --- perm-0.4.0/debian/docs	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/docs	2021-08-02 17:25:32.000000000 +0530
> @@ -0,0 +1,2 @@
> +debian/README*
> +debian/tests/run-unit-test
> \ No newline at end of file
> diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
> --- perm-0.4.0/debian/examples	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/examples	2021-08-02 17:25:32.000000000 +0530
> @@ -0,0 +1 @@
> +debian/tests/data/*
> \ No newline at end of file
> diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch
> --- perm-0.4.0/debian/patches/fix-buffer-overflow.patch	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch	2021-08-03 00:30:42.000000000 +0530
> @@ -0,0 +1,42 @@
> +Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow
> +Author: Nilesh Patra <nilesh@debian.org>
> +Last-Update: 2021-08-03
> +--- a/makefile
> ++++ b/makefile
> +@@ -2,7 +2,7 @@
> + CC = g++ -O2 $(CFLAGS)
> + 
> + TARGETS = perm
> +-LIBS = -lm -lstdc++ 
> ++LIBS = -lm -lstdc++ -lbsd 
> +  
> + PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\
> + bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\
> +--- a/stdafx.h
> ++++ b/stdafx.h
> +@@ -12,6 +12,7 @@
> + #include <stdio.h>
> + #include "time.h"
> + #include "Filename.h"
> ++#include <bsd/string.h>
> + //#ifdef WIN32
> + #include "chdir.h"
> + //#else
> +@@ -174,14 +175,14 @@
> +     return(true);
> + }
> + 
> +-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
> ++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
> + {
> +     if (caBuf == NULL) {
> +         ERR;
> +-        return(NULL);
> ++        return(-1);
> +     }
> +     int iBufSizeMinus1 = iBufSize - 1;
> +-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
> ++    int returnV = strlcpy(caBuf, str, iBufSizeMinus1);

The interesting thing about strlcpy is that you don't have to deal with
this -1 nonsense and the explicit NUL-termination that follows. In fact,
this patch now makes every buffer 1 byte smaller. strlcpy copies
iBufSizeMinus1 - 1 characters in this case. Is that intended?

I agree that this issue should be fixed, but I'm not sure if it is
necessary to rush a fix now.

Cheers

> +     if (iBufSizeMinus1 >= 0) {
> +         caBuf[iBufSizeMinus1] = '\0';
> +     } else {
> diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch
> --- perm-0.4.0/debian/patches/hardening.patch	2020-11-24 14:40:20.000000000 +0530
> +++ perm-0.4.0/debian/patches/hardening.patch	2021-08-02 17:25:32.000000000 +0530
> @@ -2,14 +2,14 @@
>  Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
>  Description: Propagate hardening options
>  
> ---- Source.orig/makefile
> -+++ Source/makefile
> -@@ -24,7 +24,7 @@
> +--- a/makefile
> ++++ b/makefile
> +@@ -24,7 +24,7 @@ install:	all
>   
>   perm:	$(PER_M)
>   	make clean
>  -	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
> -+	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
> ++	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS)
>   	#$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
>   
>   tar:	clean
> diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
> --- perm-0.4.0/debian/patches/series	2020-11-24 14:40:20.000000000 +0530
> +++ perm-0.4.0/debian/patches/series	2021-08-02 21:46:09.000000000 +0530
> @@ -2,3 +2,4 @@
>  hardening.patch
>  spelling.patch
>  gcc7.patch
> +fix-buffer-overflow.patch
> diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
> --- perm-0.4.0/debian/README.test	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/README.test	2021-08-02 17:25:32.000000000 +0530
> @@ -0,0 +1,14 @@
> +Notes on how this package can be tested.
> +────────────────────────────────────────
> +
> +This package can be tested by running the provided test:
> +
> +    sh run-unit-test
> +
> +in order to confirm its integrity.
> +
> +Notes on the files used for testing 
> +────────────────────────────────────────
> +Files: debian/tests/data/*
> +
> +The Ref.fasta and Reads.fasta file were written for testing this package. 
> \ No newline at end of file
> diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
> --- perm-0.4.0/debian/tests/control	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/tests/control	2021-08-02 17:25:32.000000000 +0530
> @@ -0,0 +1,3 @@
> +Tests: run-unit-test
> +Depends: @
> +Restrictions: allow-stderr
> diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta
> --- perm-0.4.0/debian/tests/data/Reads.fasta	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/tests/data/Reads.fasta	2021-08-02 17:25:32.000000000 +0530
> @@ -0,0 +1,2 @@
> +>reads
> +ATGCGCATCGACATGACATACGACATCA
> \ No newline at end of file
> diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta
> --- perm-0.4.0/debian/tests/data/Ref.fasta	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/tests/data/Ref.fasta	2021-08-02 17:25:32.000000000 +0530
> @@ -0,0 +1,2 @@
> +>ref
> +ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
> \ No newline at end of file
> diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test
> --- perm-0.4.0/debian/tests/run-unit-test	1970-01-01 05:30:00.000000000 +0530
> +++ perm-0.4.0/debian/tests/run-unit-test	2021-08-03 00:31:10.000000000 +0530
> @@ -0,0 +1,18 @@
> +#!/bin/bash
> +set -e
> +
> +pkg=perm
> +
> +export LC_ALL=C.UTF-8
> +if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
> +  AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
> +  trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
> +fi
> +
> +cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
> +
> +cd "${AUTOPKGTEST_TMP}"
> +
> +perm Ref.fasta Reads.fasta -v 100 -A -o out.sam  
> +[ -s "out.sam" ] || exit 1
> +echo "PASS test"


-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

Reply to: