Your message dated Sun, 23 Oct 2016 23:32:14 +0000 with message-id <e1bysfs-0002ag...@franck.debian.org> and subject line Bug#841783: fixed in patchutils 0.3.4-2 has caused the Debian Bug report #841783, regarding patchutils: please make the build reproducible to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 841783: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841783 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: patchutils Version: 0.3.4-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: buildpath X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org Hi! While working on the "reproducible builds" effort [1], we have noticed that patchutils could not be built reproducibly. It does not use CFLAGS provided by dpkg-buildflags for building, which would set -fdebug-prefix-map to prevent the full build path from being included in debugging symbols. The attached patch fixes that by using dpkg-buildflags for setting CFLAGS. Due to -Werror=format-security, which is then also set by dpkg-buildflags, the build failed because of a format string issue. A patch for this is also included. Regards, Reiner [1]: https://wiki.debian.org/ReproducibleBuildsdiff --git a/debian/patches/format_string b/debian/patches/format_string new file mode 100644 index 0000000..f38677e --- /dev/null +++ b/debian/patches/format_string @@ -0,0 +1,27 @@ +Author: Reiner Herrmann <rei...@reiner-h.de> +Description: don't pass error message directly as format string to error() + Build fails with -Werror=format-security enabled, because no constant string + is passed as error string. + Passing a string based on user input (regex) directly as format string is + a security issue. + +--- a/src/filterdiff.c ++++ b/src/filterdiff.c +@@ -1355,7 +1355,7 @@ + char errstr[300]; + regerror (err, ®ex[num_regex - 1], errstr, + sizeof (errstr)); +- error (EXIT_FAILURE, 0, errstr); ++ error (EXIT_FAILURE, 0, "%s", errstr); + exit (1); + } + } +@@ -1613,7 +1613,7 @@ + char errstr[300]; + regerror (err, ®ex[num_regex - 1], errstr, + sizeof (errstr)); +- error (EXIT_FAILURE, 0, errstr); ++ error (EXIT_FAILURE, 0, "%s", errstr); + exit (1); + } + } diff --git a/debian/patches/series b/debian/patches/series index 72dc30c..a584743 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ espdiff.6 posixness_fix +format_string diff --git a/debian/rules b/debian/rules index 5717bca..18a29ea 100755 --- a/debian/rules +++ b/debian/rules @@ -13,7 +13,7 @@ else CONFFLAGS = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) endif -CFLAGS = -g +CFLAGS = $(shell dpkg-buildflags --get CFLAGS) ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O2signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: patchutils Source-Version: 0.3.4-2 We believe that the bug you reported is fixed in the latest version of patchutils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 841...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patchutils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 23 Oct 2016 15:36:30 +0200 Source: patchutils Binary: patchutils Architecture: source amd64 Version: 0.3.4-2 Distribution: unstable Urgency: low Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: patchutils - Utilities to work with patches Closes: 794592 841783 Changes: patchutils (0.3.4-2) unstable; urgency=low . * Add gawk to Build-Depends. * Update Standards-Version to 3.9.8 . . [ Reiner Herrmann <rei...@reiner-h.de> ] * Make the build reproducible (closes: #841783). * Add patch for don't pass error message directly as format string to error(). . [ Niels Thykier <ni...@thykier.net> ] * Use dh_auto_configure instead of direct call of configure. * Drop the "cross-build" guard around the test. . [ Helmut Grohne <hel...@subdivi.de> ] * Drop rpm from Build-Depends as gendiff tests work without gendiff now (closes: #794592). Checksums-Sha1: 5ad3e2474ff3a4b5f9b10779d966f6263f88a289 1876 patchutils_0.3.4-2.dsc 4a3abadb1847d9c7064703debc210bd6ee0ba6f1 6540 patchutils_0.3.4-2.debian.tar.xz 8d9aff367aec86681974e9b86faba0594041779f 125068 patchutils-dbgsym_0.3.4-2_amd64.deb 0ab32cb8d6390bb2039370e272e8f546ac0f93f6 90436 patchutils_0.3.4-2_amd64.deb Checksums-Sha256: 985510e61acd180722dc614495df1e04619d28d9c4c4606614e9df6f6aae7fe8 1876 patchutils_0.3.4-2.dsc 6e00ab9afae706816657e62c89a405f2ae4110cbe8fac8a2db134a904abd00cc 6540 patchutils_0.3.4-2.debian.tar.xz 1c5d88b6716ebd2cc380250f86de5d26f75e795e8b545a289a50587573b8b04f 125068 patchutils-dbgsym_0.3.4-2_amd64.deb 245ca64d31ec65a330ce28f77c0428c82b2cadb78c14434abe984a44f5fa3526 90436 patchutils_0.3.4-2_amd64.deb Files: fd0be19689db0a5adca22ce318f65ff2 1876 text optional patchutils_0.3.4-2.dsc 8a4a485696b5ff711c842ebf8a16eaf6 6540 text optional patchutils_0.3.4-2.debian.tar.xz e047fb85c290ea588718850a291e616a 125068 debug extra patchutils-dbgsym_0.3.4-2_amd64.deb 082053897187417f4893f1a2c82c7e72 90436 text optional patchutils_0.3.4-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYDSFeAAoJENzjEOeGTMi/6UQP/17ZTZOv17GBfLPxrKLJj03k w2FgIqn6rA07Of447e/1RDkOA9iWhDKkqBQ+zi+MzTZogfvpqnkEvicsu51kfFy/ qC0d/mUapsXsEo5ioYRxNXvOLpvwX4E5eTfykz0qAf3d5cKQEirUZngIiHe6mjvm 8hRMlFqXtbmLYUcnY7VT+iU2+nAeBzBMjDS+KVBsyZME8fKy2C5GmLXUrTD4xYih 8zk7+jD9zVyNM7TcOsuGffrlb+7/Gcv1AVMKj8YGHrQWAXqA+FB3l5EwKd82Dt9J QSv6zm7z3hFBlSzEBrv9Q2e8srz8BhWe6itHuEMO+6PkuAts51iH9GY1mddjn+Jt ZmjIaZmnERvTO9FjWSiKa0dvEWm+pxhR0VMmCdltS3/1EG4VzcAs5kLKFhnL09z8 u55WVNqMwUSuJx3WhhleyirOhmY8aXrhOBlBfixFQMc3M0JgPyfLOxBZn5VE+1SK PsIHpER0wLDw2zjljnxnty50ZyfA078JKmuKXvcPte+BsR/SKriA8uTTwvIogyTv 066pbThm7h4OaWSYpq8mbbZAMB6BHXZ9EqzlYa047C8HV5k5vqBlfEWNWN5Y6m0p 29u1B0Eks/LHe1bihX8+TcrGQVRwytPDWxbHujEq/rb1kY755LNCvYV2mbFYMHUy LwpnTgiWgpFvgA+YiEOp =k3o2 -----END PGP SIGNATURE-----
--- End Message ---