Bug#991841: unblock: perm/0.4.0-6

[Nilesh Patra <nilesh@debian.org>]

control: retitle -1 perm/0.4.0-7

On Tue, 3 Aug 2021 09:39:04 +0200 Sebastian Ramacher <sramacher@debian.org> wrote:
>> Control: tags -1 moreinfo
>> +-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
>> ++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
>> + {
>> +     if (caBuf == NULL) {
>> +         ERR;
>> +-        return(NULL);
>> ++        return(-1);
>> +     }
>> +     int iBufSizeMinus1 = iBufSize - 1;
>> +-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
>> ++    int returnV = strlcpy(caBuf, str, iBufSizeMinus1);

> The interesting thing about strlcpy is that you don't have to deal with
> this -1 nonsense and the explicit NUL-termination that follows. In fact,
> this patch now makes every buffer 1 byte smaller. strlcpy copies
> iBufSizeMinus1 - 1 characters in this case. Is that intended?

Aw, crap, no. I got sloppy here. I just did another upload on top of it, to
copy right buffer length, retitled accordingly.
Hopefully this should be fine now.
The debdiff is also attached w/ the version in testing

> I agree that this issue should be fixed, but I'm not sure if it is
> necessary to rush a fix now.

IMO, if this fixed is not merged now, I'll have to push it to next
stable point release, creating more work for everyone, and also passing
in this seemingly RC bug to the first release.
Being a leaf package with a relatively low popcon score, I think it is
not going to do a lot of damage, and I think it
would be really really great if you consider to let this in now, than later.
Upstream is not active, and I do not expect much from them.

Ofcourse, I agree that this creates some last minute noise+work for
the release team and I'm really
sorry about this -- it was discovered just yesterday, and I uploaded
after enough ACKs as soon as I found a relevant workaround.
But I'd be obliged if you consider to let this in.

Nilesh

diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog	2021-08-03 13:17:48.000000000 +0530
@@ -1,3 +1,31 @@
+perm (0.4.0-7) unstable; urgency=medium
+
+  * Team Upload.
+  * d/p/fix-buffer-overflow.patch: Do not reduce buffer size by 1
+
+ -- Nilesh Patra <nilesh@debian.org>  Tue, 03 Aug 2021 13:17:48 +0530
+
+perm (0.4.0-6) unstable; urgency=medium
+
+  * Team Upload.
+  [ Shruti Sridhar ]
+  * d/tests/data: Add testdata
+  * d/tests: Add autopkgtest
+  * d/example: Install test data as example
+  * d/docs: Install d/README.* and d/tests/run-unit-test
+    as documents
+  * d/p/hardening.patch: Add CPPFLAGS which helped detect
+    buffer overflow
+  * d/copyright: Test data has been written by Shruti, mentioning
+    them in copyright for the same
+
+  [ Nilesh Patra ]
+  * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+    instead of strncpy in order to fix buffer overflow
+  * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <nilesh@debian.org>  Tue, 03 Aug 2021 00:31:10 +0530
+
 perm (0.4.0-5) unstable; urgency=medium
 
   * Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control	2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
 Uploaders: Andreas Tille <tille@debian.org>
 Section: science
 Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/med-team/perm
 Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright	2021-08-03 00:41:56.000000000 +0530
@@ -12,6 +12,10 @@
                2014-2017 Andreas Tille <tille@debian.org>
 License: Apache-2.0
 
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <shruti.sridhar99@gmail.com>
+License: Apache-2.0
+
 License: Apache-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch	2021-08-03 13:14:38.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow
+Author: Nilesh Patra <nilesh@debian.org>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+ 
+ TARGETS = perm
+-LIBS = -lm -lstdc++ 
++LIBS = -lm -lstdc++ -lbsd 
+  
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+     return(true);
+ }
+ 
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+     if (caBuf == NULL) {
+         ERR;
+-        return(NULL);
++        return(-1);
+     }
+     int iBufSizeMinus1 = iBufSize - 1;
+-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++    int returnV = strlcpy(caBuf, str, iBufSize);
+     if (iBufSizeMinus1 >= 0) {
+         caBuf[iBufSizeMinus1] = '\0';
+     } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/hardening.patch	2021-08-02 17:25:32.000000000 +0530
@@ -2,14 +2,14 @@
 Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
 Description: Propagate hardening options
 
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install:	all
  
  perm:	$(PER_M)
  	make clean
 -	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS)
  	#$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
  
  tar:	clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series	2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
 hardening.patch
 spelling.patch
 gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+────────────────────────────────────────
+
+This package can be tested by running the provided test:
+
+    sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing 
+────────────────────────────────────────
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package. 
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/run-unit-test	2021-08-03 00:44:59.000000000 +0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+  AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+  trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam  
+[ -s "out.sam" ] || exit 1
+echo "PASS test"

Attachment: signature.asc
Description: PGP signature