Bug#841783: marked as done (patchutils: please make the build reproducible)

Sun, 23 Oct 2016 16:33:28 -0700 

Your message dated Sun, 23 Oct 2016 23:32:14 +0000
with message-id <e1bysfs-0002ag...@franck.debian.org>
and subject line Bug#841783: fixed in patchutils 0.3.4-2
has caused the Debian Bug report #841783,
regarding patchutils: please make the build reproducible
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
841783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841783
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: patchutils
Version: 0.3.4-1
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org

Hi!

While working on the "reproducible builds" effort [1], we have noticed
that patchutils could not be built reproducibly.
It does not use CFLAGS provided by dpkg-buildflags for building, which
would set -fdebug-prefix-map to prevent the full build path from being
included in debugging symbols.

The attached patch fixes that by using dpkg-buildflags for setting CFLAGS.
Due to -Werror=format-security, which is then also set by dpkg-buildflags,
the build failed because of a format string issue.
A patch for this is also included.

Regards,
 Reiner

[1]: https://wiki.debian.org/ReproducibleBuilds

diff --git a/debian/patches/format_string b/debian/patches/format_string
new file mode 100644
index 0000000..f38677e
--- /dev/null
+++ b/debian/patches/format_string
@@ -0,0 +1,27 @@
+Author: Reiner Herrmann <rei...@reiner-h.de>
+Description: don't pass error message directly as format string to error()
+ Build fails with -Werror=format-security enabled, because no constant string
+ is passed as error string.
+ Passing a string based on user input (regex) directly as format string is
+ a security issue.
+
+--- a/src/filterdiff.c
++++ b/src/filterdiff.c
+@@ -1355,7 +1355,7 @@
+ 			char errstr[300];
+ 			regerror (err, &regex[num_regex - 1], errstr,
+ 				  sizeof (errstr));
+-			error (EXIT_FAILURE, 0, errstr);
++			error (EXIT_FAILURE, 0, "%s", errstr);
+ 			exit (1);
+ 		}
+ 	}
+@@ -1613,7 +1613,7 @@
+ 			char errstr[300];
+ 			regerror (err, &regex[num_regex - 1], errstr,
+ 				  sizeof (errstr));
+-			error (EXIT_FAILURE, 0, errstr);
++			error (EXIT_FAILURE, 0, "%s", errstr);
+ 			exit (1);
+ 		}
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 72dc30c..a584743 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 espdiff.6
 posixness_fix
+format_string
diff --git a/debian/rules b/debian/rules
index 5717bca..18a29ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ else
 CONFFLAGS = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
 endif
 
-CFLAGS = -g
+CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
 
 ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
 CFLAGS += -O2

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: patchutils
Source-Version: 0.3.4-2

We believe that the bug you reported is fixed in the latest version of
patchutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patchutils 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 23 Oct 2016 15:36:30 +0200
Source: patchutils
Binary: patchutils
Architecture: source amd64
Version: 0.3.4-2
Distribution: unstable
Urgency: low
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 patchutils - Utilities to work with patches
Closes: 794592 841783
Changes:
 patchutils (0.3.4-2) unstable; urgency=low
 .
   * Add gawk to Build-Depends.
   * Update Standards-Version to 3.9.8 .
 .
   [ Reiner Herrmann <rei...@reiner-h.de> ]
   * Make the build reproducible (closes: #841783).
   * Add patch for don't pass error message directly as format string to
     error().
 .
   [ Niels Thykier <ni...@thykier.net> ]
   * Use dh_auto_configure instead of direct call of configure.
   * Drop the "cross-build" guard around the test.
 .
   [ Helmut Grohne <hel...@subdivi.de> ]
   * Drop rpm from Build-Depends as gendiff tests work without gendiff now
     (closes: #794592).
Checksums-Sha1:
 5ad3e2474ff3a4b5f9b10779d966f6263f88a289 1876 patchutils_0.3.4-2.dsc
 4a3abadb1847d9c7064703debc210bd6ee0ba6f1 6540 patchutils_0.3.4-2.debian.tar.xz
 8d9aff367aec86681974e9b86faba0594041779f 125068 
patchutils-dbgsym_0.3.4-2_amd64.deb
 0ab32cb8d6390bb2039370e272e8f546ac0f93f6 90436 patchutils_0.3.4-2_amd64.deb
Checksums-Sha256:
 985510e61acd180722dc614495df1e04619d28d9c4c4606614e9df6f6aae7fe8 1876 
patchutils_0.3.4-2.dsc
 6e00ab9afae706816657e62c89a405f2ae4110cbe8fac8a2db134a904abd00cc 6540 
patchutils_0.3.4-2.debian.tar.xz
 1c5d88b6716ebd2cc380250f86de5d26f75e795e8b545a289a50587573b8b04f 125068 
patchutils-dbgsym_0.3.4-2_amd64.deb
 245ca64d31ec65a330ce28f77c0428c82b2cadb78c14434abe984a44f5fa3526 90436 
patchutils_0.3.4-2_amd64.deb
Files:
 fd0be19689db0a5adca22ce318f65ff2 1876 text optional patchutils_0.3.4-2.dsc
 8a4a485696b5ff711c842ebf8a16eaf6 6540 text optional 
patchutils_0.3.4-2.debian.tar.xz
 e047fb85c290ea588718850a291e616a 125068 debug extra 
patchutils-dbgsym_0.3.4-2_amd64.deb
 082053897187417f4893f1a2c82c7e72 90436 text optional 
patchutils_0.3.4-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYDSFeAAoJENzjEOeGTMi/6UQP/17ZTZOv17GBfLPxrKLJj03k
w2FgIqn6rA07Of447e/1RDkOA9iWhDKkqBQ+zi+MzTZogfvpqnkEvicsu51kfFy/
qC0d/mUapsXsEo5ioYRxNXvOLpvwX4E5eTfykz0qAf3d5cKQEirUZngIiHe6mjvm
8hRMlFqXtbmLYUcnY7VT+iU2+nAeBzBMjDS+KVBsyZME8fKy2C5GmLXUrTD4xYih
8zk7+jD9zVyNM7TcOsuGffrlb+7/Gcv1AVMKj8YGHrQWAXqA+FB3l5EwKd82Dt9J
QSv6zm7z3hFBlSzEBrv9Q2e8srz8BhWe6itHuEMO+6PkuAts51iH9GY1mddjn+Jt
ZmjIaZmnERvTO9FjWSiKa0dvEWm+pxhR0VMmCdltS3/1EG4VzcAs5kLKFhnL09z8
u55WVNqMwUSuJx3WhhleyirOhmY8aXrhOBlBfixFQMc3M0JgPyfLOxBZn5VE+1SK
PsIHpER0wLDw2zjljnxnty50ZyfA078JKmuKXvcPte+BsR/SKriA8uTTwvIogyTv
066pbThm7h4OaWSYpq8mbbZAMB6BHXZ9EqzlYa047C8HV5k5vqBlfEWNWN5Y6m0p
29u1B0Eks/LHe1bihX8+TcrGQVRwytPDWxbHujEq/rb1kY755LNCvYV2mbFYMHUy
LwpnTgiWgpFvgA+YiEOp
=k3o2
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to