Control: tags -1 moreinfo On 2021-08-03 11:19:46 +0530, Nilesh Patra wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: nilesh@debian.org, debian-med-packaging@lists.alioth.debian.org > > Please unblock package perm > > [ Reason ] > An autopkgtest was recently added to perm on its git repository, which > resulted in uncovering a buffer overflow. Here's the log: > > https://salsa.debian.org/med-team/perm/-/jobs/1788156 > > AIUI, this is a security issue and such issues are RC > > [ Impact ] > The users machine will contain a version of perm which can potentially > cause a buffer overflow > > [ Tests ] > Autopkgtests have been added for this release > > [ Risks ] > Perm is a leaf package, I do not see any risks > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > Some stuff like installing docs in d/docs, or installing autopkgtests in > d/examples might look redundant, but they are needed to run tests in a > sane fashion. These changes are not too major, and are rather harmless. > > unblock perm/0.4.0-6 > diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog > --- perm-0.4.0/debian/changelog 2020-11-24 14:40:20.000000000 +0530 > +++ perm-0.4.0/debian/changelog 2021-08-03 00:31:10.000000000 +0530 > @@ -1,3 +1,24 @@ > +perm (0.4.0-6) unstable; urgency=medium > + > + * Team Upload. > + [ Shruti Sridhar ] > + * d/tests/data: Add testdata > + * d/tests: Add autopkgtest > + * d/example: Install test data as example > + * d/docs: Install d/README.* and d/tests/run-unit-test > + as documents > + * d/p/hardening.patch: Add CPPFLAGS which helped detect > + buffer overflow > + * d/copyright: Test data has been written by Shruti, mentioning > + them in copyright for the same > + > + [ Nilesh Patra ] > + * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev > + instead of strncpy in order to fix buffer overflow > + * d/control: Add B-D on libbsd-dev > + > + -- Nilesh Patra <nilesh@debian.org> Tue, 03 Aug 2021 00:31:10 +0530 > + > perm (0.4.0-5) unstable; urgency=medium > > * Standards-Version: 4.5.1 (routine-update) > diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control > --- perm-0.4.0/debian/control 2020-11-24 14:40:20.000000000 +0530 > +++ perm-0.4.0/debian/control 2021-08-02 21:22:22.000000000 +0530 > @@ -3,7 +3,7 @@ > Uploaders: Andreas Tille <tille@debian.org> > Section: science > Priority: optional > -Build-Depends: debhelper-compat (= 13) > +Build-Depends: debhelper-compat (= 13), libbsd-dev > Standards-Version: 4.5.1 > Vcs-Browser: https://salsa.debian.org/med-team/perm > Vcs-Git: https://salsa.debian.org/med-team/perm.git > diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright > --- perm-0.4.0/debian/copyright 2020-11-24 14:40:20.000000000 +0530 > +++ perm-0.4.0/debian/copyright 2021-08-03 00:31:10.000000000 +0530 > @@ -12,6 +12,10 @@ > 2014-2017 Andreas Tille <tille@debian.org> > License: Apache-2.0 > > +Files: debian/tests/data/* > +Copyright: Shruti Sridhar <shruti.sridhar99@gmail.com> > +License: Apache-2.0 > + > License: Apache-2.0 > Unless required by applicable law or agreed to in writing, software > distributed under the License is distributed on an "AS IS" BASIS, > diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs > --- perm-0.4.0/debian/docs 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/docs 2021-08-02 17:25:32.000000000 +0530 > @@ -0,0 +1,2 @@ > +debian/README* > +debian/tests/run-unit-test > \ No newline at end of file > diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples > --- perm-0.4.0/debian/examples 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/examples 2021-08-02 17:25:32.000000000 +0530 > @@ -0,0 +1 @@ > +debian/tests/data/* > \ No newline at end of file > diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch > --- perm-0.4.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch 2021-08-03 00:30:42.000000000 +0530 > @@ -0,0 +1,42 @@ > +Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow > +Author: Nilesh Patra <nilesh@debian.org> > +Last-Update: 2021-08-03 > +--- a/makefile > ++++ b/makefile > +@@ -2,7 +2,7 @@ > + CC = g++ -O2 $(CFLAGS) > + > + TARGETS = perm > +-LIBS = -lm -lstdc++ > ++LIBS = -lm -lstdc++ -lbsd > + > + PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\ > + bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\ > +--- a/stdafx.h > ++++ b/stdafx.h > +@@ -12,6 +12,7 @@ > + #include <stdio.h> > + #include "time.h" > + #include "Filename.h" > ++#include <bsd/string.h> > + //#ifdef WIN32 > + #include "chdir.h" > + //#else > +@@ -174,14 +175,14 @@ > + return(true); > + } > + > +-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize) > ++inline int myStrCpy(char* caBuf, const char* str, int iBufSize) > + { > + if (caBuf == NULL) { > + ERR; > +- return(NULL); > ++ return(-1); > + } > + int iBufSizeMinus1 = iBufSize - 1; > +- char* returnV = strncpy(caBuf, str, iBufSizeMinus1); > ++ int returnV = strlcpy(caBuf, str, iBufSizeMinus1); The interesting thing about strlcpy is that you don't have to deal with this -1 nonsense and the explicit NUL-termination that follows. In fact, this patch now makes every buffer 1 byte smaller. strlcpy copies iBufSizeMinus1 - 1 characters in this case. Is that intended? I agree that this issue should be fixed, but I'm not sure if it is necessary to rush a fix now. Cheers > + if (iBufSizeMinus1 >= 0) { > + caBuf[iBufSizeMinus1] = '\0'; > + } else { > diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch > --- perm-0.4.0/debian/patches/hardening.patch 2020-11-24 14:40:20.000000000 +0530 > +++ perm-0.4.0/debian/patches/hardening.patch 2021-08-02 17:25:32.000000000 +0530 > @@ -2,14 +2,14 @@ > Last-Update: Fri, 25 Apr 2014 18:39:38 +0200 > Description: Propagate hardening options > > ---- Source.orig/makefile > -+++ Source/makefile > -@@ -24,7 +24,7 @@ > +--- a/makefile > ++++ b/makefile > +@@ -24,7 +24,7 @@ install: all > > perm: $(PER_M) > make clean > - $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) > -+ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) > ++ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS) > #$(CC) -o $@ $(LIB_PATH) *.o $(LIBS) > > tar: clean > diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series > --- perm-0.4.0/debian/patches/series 2020-11-24 14:40:20.000000000 +0530 > +++ perm-0.4.0/debian/patches/series 2021-08-02 21:46:09.000000000 +0530 > @@ -2,3 +2,4 @@ > hardening.patch > spelling.patch > gcc7.patch > +fix-buffer-overflow.patch > diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test > --- perm-0.4.0/debian/README.test 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/README.test 2021-08-02 17:25:32.000000000 +0530 > @@ -0,0 +1,14 @@ > +Notes on how this package can be tested. > +──────────────────────────────────────── > + > +This package can be tested by running the provided test: > + > + sh run-unit-test > + > +in order to confirm its integrity. > + > +Notes on the files used for testing > +──────────────────────────────────────── > +Files: debian/tests/data/* > + > +The Ref.fasta and Reads.fasta file were written for testing this package. > \ No newline at end of file > diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control > --- perm-0.4.0/debian/tests/control 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/tests/control 2021-08-02 17:25:32.000000000 +0530 > @@ -0,0 +1,3 @@ > +Tests: run-unit-test > +Depends: @ > +Restrictions: allow-stderr > diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta > --- perm-0.4.0/debian/tests/data/Reads.fasta 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/tests/data/Reads.fasta 2021-08-02 17:25:32.000000000 +0530 > @@ -0,0 +1,2 @@ > +>reads > +ATGCGCATCGACATGACATACGACATCA > \ No newline at end of file > diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta > --- perm-0.4.0/debian/tests/data/Ref.fasta 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/tests/data/Ref.fasta 2021-08-02 17:25:32.000000000 +0530 > @@ -0,0 +1,2 @@ > +>ref > +ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA > \ No newline at end of file > diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test > --- perm-0.4.0/debian/tests/run-unit-test 1970-01-01 05:30:00.000000000 +0530 > +++ perm-0.4.0/debian/tests/run-unit-test 2021-08-03 00:31:10.000000000 +0530 > @@ -0,0 +1,18 @@ > +#!/bin/bash > +set -e > + > +pkg=perm > + > +export LC_ALL=C.UTF-8 > +if [ "${AUTOPKGTEST_TMP}" = "" ] ; then > + AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX) > + trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM > +fi > + > +cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}" > + > +cd "${AUTOPKGTEST_TMP}" > + > +perm Ref.fasta Reads.fasta -v 100 -A -o out.sam > +[ -s "out.sam" ] || exit 1 > +echo "PASS test" -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature