control: retitle -1 perm/0.4.0-7 On Tue, 3 Aug 2021 09:39:04 +0200 Sebastian Ramacher <sramacher@debian.org> wrote: >> Control: tags -1 moreinfo >> +-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize) >> ++inline int myStrCpy(char* caBuf, const char* str, int iBufSize) >> + { >> + if (caBuf == NULL) { >> + ERR; >> +- return(NULL); >> ++ return(-1); >> + } >> + int iBufSizeMinus1 = iBufSize - 1; >> +- char* returnV = strncpy(caBuf, str, iBufSizeMinus1); >> ++ int returnV = strlcpy(caBuf, str, iBufSizeMinus1); > The interesting thing about strlcpy is that you don't have to deal with > this -1 nonsense and the explicit NUL-termination that follows. In fact, > this patch now makes every buffer 1 byte smaller. strlcpy copies > iBufSizeMinus1 - 1 characters in this case. Is that intended? Aw, crap, no. I got sloppy here. I just did another upload on top of it, to copy right buffer length, retitled accordingly. Hopefully this should be fine now. The debdiff is also attached w/ the version in testing > I agree that this issue should be fixed, but I'm not sure if it is > necessary to rush a fix now. IMO, if this fixed is not merged now, I'll have to push it to next stable point release, creating more work for everyone, and also passing in this seemingly RC bug to the first release. Being a leaf package with a relatively low popcon score, I think it is not going to do a lot of damage, and I think it would be really really great if you consider to let this in now, than later. Upstream is not active, and I do not expect much from them. Ofcourse, I agree that this creates some last minute noise+work for the release team and I'm really sorry about this -- it was discovered just yesterday, and I uploaded after enough ACKs as soon as I found a relevant workaround. But I'd be obliged if you consider to let this in. Nilesh
diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog --- perm-0.4.0/debian/changelog 2020-11-24 14:40:20.000000000 +0530 +++ perm-0.4.0/debian/changelog 2021-08-03 13:17:48.000000000 +0530 @@ -1,3 +1,31 @@ +perm (0.4.0-7) unstable; urgency=medium + + * Team Upload. + * d/p/fix-buffer-overflow.patch: Do not reduce buffer size by 1 + + -- Nilesh Patra <nilesh@debian.org> Tue, 03 Aug 2021 13:17:48 +0530 + +perm (0.4.0-6) unstable; urgency=medium + + * Team Upload. + [ Shruti Sridhar ] + * d/tests/data: Add testdata + * d/tests: Add autopkgtest + * d/example: Install test data as example + * d/docs: Install d/README.* and d/tests/run-unit-test + as documents + * d/p/hardening.patch: Add CPPFLAGS which helped detect + buffer overflow + * d/copyright: Test data has been written by Shruti, mentioning + them in copyright for the same + + [ Nilesh Patra ] + * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev + instead of strncpy in order to fix buffer overflow + * d/control: Add B-D on libbsd-dev + + -- Nilesh Patra <nilesh@debian.org> Tue, 03 Aug 2021 00:31:10 +0530 + perm (0.4.0-5) unstable; urgency=medium * Standards-Version: 4.5.1 (routine-update) diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control --- perm-0.4.0/debian/control 2020-11-24 14:40:20.000000000 +0530 +++ perm-0.4.0/debian/control 2021-08-02 21:22:22.000000000 +0530 @@ -3,7 +3,7 @@ Uploaders: Andreas Tille <tille@debian.org> Section: science Priority: optional -Build-Depends: debhelper-compat (= 13) +Build-Depends: debhelper-compat (= 13), libbsd-dev Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/med-team/perm Vcs-Git: https://salsa.debian.org/med-team/perm.git diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright --- perm-0.4.0/debian/copyright 2020-11-24 14:40:20.000000000 +0530 +++ perm-0.4.0/debian/copyright 2021-08-03 00:41:56.000000000 +0530 @@ -12,6 +12,10 @@ 2014-2017 Andreas Tille <tille@debian.org> License: Apache-2.0 +Files: debian/tests/data/* +Copyright: Shruti Sridhar <shruti.sridhar99@gmail.com> +License: Apache-2.0 + License: Apache-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs --- perm-0.4.0/debian/docs 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/docs 2021-08-02 17:25:32.000000000 +0530 @@ -0,0 +1,2 @@ +debian/README* +debian/tests/run-unit-test \ No newline at end of file diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples --- perm-0.4.0/debian/examples 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/examples 2021-08-02 17:25:32.000000000 +0530 @@ -0,0 +1 @@ +debian/tests/data/* \ No newline at end of file diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch --- perm-0.4.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch 2021-08-03 13:14:38.000000000 +0530 @@ -0,0 +1,42 @@ +Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow +Author: Nilesh Patra <nilesh@debian.org> +Last-Update: 2021-08-03 +--- a/makefile ++++ b/makefile +@@ -2,7 +2,7 @@ + CC = g++ -O2 $(CFLAGS) + + TARGETS = perm +-LIBS = -lm -lstdc++ ++LIBS = -lm -lstdc++ -lbsd + + PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\ + bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\ +--- a/stdafx.h ++++ b/stdafx.h +@@ -12,6 +12,7 @@ + #include <stdio.h> + #include "time.h" + #include "Filename.h" ++#include <bsd/string.h> + //#ifdef WIN32 + #include "chdir.h" + //#else +@@ -174,14 +175,14 @@ + return(true); + } + +-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize) ++inline int myStrCpy(char* caBuf, const char* str, int iBufSize) + { + if (caBuf == NULL) { + ERR; +- return(NULL); ++ return(-1); + } + int iBufSizeMinus1 = iBufSize - 1; +- char* returnV = strncpy(caBuf, str, iBufSizeMinus1); ++ int returnV = strlcpy(caBuf, str, iBufSize); + if (iBufSizeMinus1 >= 0) { + caBuf[iBufSizeMinus1] = '\0'; + } else { diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch --- perm-0.4.0/debian/patches/hardening.patch 2020-11-24 14:40:20.000000000 +0530 +++ perm-0.4.0/debian/patches/hardening.patch 2021-08-02 17:25:32.000000000 +0530 @@ -2,14 +2,14 @@ Last-Update: Fri, 25 Apr 2014 18:39:38 +0200 Description: Propagate hardening options ---- Source.orig/makefile -+++ Source/makefile -@@ -24,7 +24,7 @@ +--- a/makefile ++++ b/makefile +@@ -24,7 +24,7 @@ install: all perm: $(PER_M) make clean - $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) -+ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) ++ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS) #$(CC) -o $@ $(LIB_PATH) *.o $(LIBS) tar: clean diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series --- perm-0.4.0/debian/patches/series 2020-11-24 14:40:20.000000000 +0530 +++ perm-0.4.0/debian/patches/series 2021-08-02 21:46:09.000000000 +0530 @@ -2,3 +2,4 @@ hardening.patch spelling.patch gcc7.patch +fix-buffer-overflow.patch diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test --- perm-0.4.0/debian/README.test 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/README.test 2021-08-02 17:25:32.000000000 +0530 @@ -0,0 +1,14 @@ +Notes on how this package can be tested. +──────────────────────────────────────── + +This package can be tested by running the provided test: + + sh run-unit-test + +in order to confirm its integrity. + +Notes on the files used for testing +──────────────────────────────────────── +Files: debian/tests/data/* + +The Ref.fasta and Reads.fasta file were written for testing this package. \ No newline at end of file diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control --- perm-0.4.0/debian/tests/control 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/tests/control 2021-08-02 17:25:32.000000000 +0530 @@ -0,0 +1,3 @@ +Tests: run-unit-test +Depends: @ +Restrictions: allow-stderr diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta --- perm-0.4.0/debian/tests/data/Reads.fasta 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/tests/data/Reads.fasta 2021-08-02 17:25:32.000000000 +0530 @@ -0,0 +1,2 @@ +>reads +ATGCGCATCGACATGACATACGACATCA \ No newline at end of file diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta --- perm-0.4.0/debian/tests/data/Ref.fasta 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/tests/data/Ref.fasta 2021-08-02 17:25:32.000000000 +0530 @@ -0,0 +1,2 @@ +>ref +ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA \ No newline at end of file diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test --- perm-0.4.0/debian/tests/run-unit-test 1970-01-01 05:30:00.000000000 +0530 +++ perm-0.4.0/debian/tests/run-unit-test 2021-08-03 00:44:59.000000000 +0530 @@ -0,0 +1,18 @@ +#!/bin/bash +set -e + +pkg=perm + +export LC_ALL=C.UTF-8 +if [ "${AUTOPKGTEST_TMP}" = "" ] ; then + AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX) + trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM +fi + +cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}" + +cd "${AUTOPKGTEST_TMP}" + +perm Ref.fasta Reads.fasta -v 100 -A -o out.sam +[ -s "out.sam" ] || exit 1 +echo "PASS test"
Attachment:
signature.asc
Description: PGP signature