[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991841: marked as done (unblock: perm/0.4.0-7)

Your message dated Wed, 04 Aug 2021 20:34:59 +0000
with message-id <E1mBNbP-0003O2-0Z@respighi.debian.org>
and subject line unblock perm
has caused the Debian Bug report #991841,
regarding unblock: perm/0.4.0-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991841
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: nilesh@debian.org, debian-med-packaging@lists.alioth.debian.org

Please unblock package perm

[ Reason ]
An autopkgtest was recently added to perm on its git repository, which
resulted in uncovering a buffer overflow. Here's the log:

https://salsa.debian.org/med-team/perm/-/jobs/1788156

AIUI, this is a security issue and such issues are RC

[ Impact ]
The users machine will contain a version of perm which can potentially
cause a buffer overflow

[ Tests ]
Autopkgtests have been added for this release

[ Risks ]
Perm is a leaf package, I do not see any risks

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Some stuff like installing docs in d/docs, or installing autopkgtests in
d/examples might look redundant, but they are needed to run tests in a
sane fashion. These changes are not too major, and are rather harmless.

unblock perm/0.4.0-6

diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog	2021-08-03 00:31:10.000000000 +0530
@@ -1,3 +1,24 @@
+perm (0.4.0-6) unstable; urgency=medium
+
+  * Team Upload.
+  [ Shruti Sridhar ]
+  * d/tests/data: Add testdata
+  * d/tests: Add autopkgtest
+  * d/example: Install test data as example
+  * d/docs: Install d/README.* and d/tests/run-unit-test
+    as documents
+  * d/p/hardening.patch: Add CPPFLAGS which helped detect
+    buffer overflow
+  * d/copyright: Test data has been written by Shruti, mentioning
+    them in copyright for the same
+
+  [ Nilesh Patra ]
+  * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+    instead of strncpy in order to fix buffer overflow
+  * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <nilesh@debian.org>  Tue, 03 Aug 2021 00:31:10 +0530
+
 perm (0.4.0-5) unstable; urgency=medium
 
   * Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control	2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
 Uploaders: Andreas Tille <tille@debian.org>
 Section: science
 Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/med-team/perm
 Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright	2021-08-03 00:31:10.000000000 +0530
@@ -12,6 +12,10 @@
                2014-2017 Andreas Tille <tille@debian.org>
 License: Apache-2.0
 
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <shruti.sridhar99@gmail.com>
+License: Apache-2.0
+
 License: Apache-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch	2021-08-03 00:30:42.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow
+Author: Nilesh Patra <nilesh@debian.org>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+ 
+ TARGETS = perm
+-LIBS = -lm -lstdc++ 
++LIBS = -lm -lstdc++ -lbsd 
+  
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+     return(true);
+ }
+ 
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+     if (caBuf == NULL) {
+         ERR;
+-        return(NULL);
++        return(-1);
+     }
+     int iBufSizeMinus1 = iBufSize - 1;
+-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++    int returnV = strlcpy(caBuf, str, iBufSizeMinus1);
+     if (iBufSizeMinus1 >= 0) {
+         caBuf[iBufSizeMinus1] = '\0';
+     } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/hardening.patch	2021-08-02 17:25:32.000000000 +0530
@@ -2,14 +2,14 @@
 Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
 Description: Propagate hardening options
 
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install:	all
  
  perm:	$(PER_M)
  	make clean
 -	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS)
  	#$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
  
  tar:	clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series	2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
 hardening.patch
 spelling.patch
 gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+────────────────────────────────────────
+
+This package can be tested by running the provided test:
+
+    sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing 
+────────────────────────────────────────
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package. 
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/run-unit-test	2021-08-03 00:31:10.000000000 +0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+  AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+  trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam  
+[ -s "out.sam" ] || exit 1
+echo "PASS test"

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: