Your message dated Fri, 13 Jan 2017 13:03:45 +0000
with message-id <e1cs1wd-0008go...@fasolo.debian.org>
and subject line Bug#850879: fixed in datatables.js 1.10.13+dfsg-2
has caused the Debian Bug report #850879,
regarding datatables.js: Build uses static filenames in /tmp, does not catch 
errors
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
850879: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850879
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: datatables.js
Version: 1.10.13+dfsg-1
Severity: normal
Tags: patch upstream

Dear Maintainer,

the build process for the datatables.js package uses static filenames
in /tmp/, among them /tmp/closure_error.log which also does not get
removed.

This is at least bad style. Although symlinks attacks on build systems
are not a very likely scenario, this still becomes a problem if
the files already exist but belong to another user - something that
happens if several users on the same host try to build that package:

|     JS compressing dataTables.bootstrap4.js
| cp: cannot create regular file '/tmp/dataTables.bootstrap4.js': Permission 
denied
| Can't remove /tmp/dataTables.bootstrap4.js: Operation not permitted, skipping 
file.
| rm: cannot remove '/tmp/closure_error.log': Operation not permitted
| include.sh: line 132: /tmp/closure_error.log: Permission denied
| rm: cannot remove '/tmp/dataTables.bootstrap4.js': Operation not permitted
|       File size: 0

The much worse thing: The build does *not* catch that situation. Instead,
the package is happily built with zero-sized files.

The patch attached adds the usage of a random temporary directory that
is cleaned up upon exit. Also the make.sh script now uses errexit. This
should catch all unexpected errors during execution.

According to diffoscope, the created binary packages are bitwise
identical.

Cheers,

    Christoph, do not apply as-is

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.1 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: unable to detect
Subject: Use a temporary directory to build, run the make.sh script under errexit. Closes: #-1
Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
Bug-Debian: https://bugs.debian.org/-1

--- a/build/include.sh
+++ b/build/include.sh
@@ -5,6 +5,8 @@
 CLOSURE="/usr/share/java/closure-compiler.jar"
 JSHINT="/usr/bin/jshint"
 
+TMPDIR="$(mktemp --directory --tmpdir "jquery-datatables.$$.XXXXX")"
+trap "rm -rf \"$TMPDIR\"" EXIT
 
 # CSS styling frameworks that DataTables supports
 FRAMEWORKS=(
@@ -125,23 +127,23 @@
 
 		# Closure Compiler doesn't support "important" comments so we add a
 		# @license jsdoc comment to the license block to preserve it
-		cp $DIR/$FILE.js /tmp/$FILE.js
-		perl -i -0pe "s/^\/\*! (.*)$/\/** \@license \$1/s" /tmp/$FILE.js
+		cp $DIR/$FILE.js $TMPDIR/$FILE.js
+		perl -i -0pe "s/^\/\*! (.*)$/\/** \@license \$1/s" $TMPDIR/$FILE.js
 
-		rm /tmp/closure_error.log
-		java -jar $CLOSURE --charset 'utf-8' --js /tmp/$FILE.js > /tmp/$FILE.min.js 2> /tmp/closure_error.log
+		rm $TMPDIR/closure_error.log || true
+		java -jar $CLOSURE --charset 'utf-8' --js $TMPDIR/$FILE.js > $TMPDIR/$FILE.min.js 2> $TMPDIR/closure_error.log
 
-		if [ -e /tmp/closure_error.log ]; then
+		if [ -e $TMPDIR/closure_error.log ]; then
 			if [ -z "$LOG" -o "$LOG" = "on" ]; then
-				cat /tmp/closure_error.log
+				cat $TMPDIR/closure_error.log
 			fi
 		fi
 
 		# And add the important comment back in
-		perl -i -0pe "s/^\/\*/\/*!/s" /tmp/$FILE.min.js
+		perl -i -0pe "s/^\/\*/\/*!/s" $TMPDIR/$FILE.min.js
 
-		mv /tmp/$FILE.min.js $DIR/$FILE.min.js
-		rm /tmp/$FILE.js
+		mv $TMPDIR/$FILE.min.js $DIR/$FILE.min.js
+		rm $TMPDIR/$FILE.js
 
 		echo_msg "  File size: $(ls -l $DIR/$FILE.min.js | awk -F" " '{ print $5 }')"
 	fi
@@ -161,9 +163,10 @@
 	IFS='%'
 
 	cp $IN_FILE $IN_FILE.build
-	grep "_buildInclude('" $IN_FILE.build > /dev/null
+	CODE=0
+	grep "_buildInclude('" $IN_FILE.build > /dev/null || CODE=$?
 
-	while [ $? -eq 0 ]; do
+	while [ $CODE -eq 0 ]; do
 		REQUIRE=$(grep "_buildInclude('" $IN_FILE.build | head -n 1)
 
 		SPACER=$(echo ${REQUIRE} | cut -d _ -f 1)
@@ -177,7 +180,7 @@
 
 		rm ${DIR}/${FILE}.build
 
-		grep "_buildInclude('" $IN_FILE.build > /dev/null
+		grep "_buildInclude('" $IN_FILE.build > /dev/null || CODE=$?
 	done
 
 	mv $IN_FILE.build $OUT
--- a/build/make.sh
+++ b/build/make.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e
+
 . include.sh
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
@@ -34,9 +36,11 @@
 	OLD_IFS=$IFS
 	IFS='%'
 	cp DataTables.js DataTables.js.build
-	grep "_buildInclude('" DataTables.js.build > /dev/null
+	CODE=0
+	grep "_buildInclude('" DataTables.js.build > /dev/null || CODE=$?
+	grep "_buildInclude('" DataTables.js.build >&2
 
-	while [ $? -eq 0 ]; do
+	while [ $CODE -eq 0 ]; do
 		REQUIRE=$(grep "_buildInclude('" DataTables.js.build | head -n 1)
 
 		SPACER=$(echo ${REQUIRE} | cut -d _ -f 1)
@@ -50,7 +54,7 @@
 
 		rm ${DIR}/${FILE}.build
 
-		grep "_buildInclude('" DataTables.js.build > /dev/null
+		grep "_buildInclude('" DataTables.js.build > /dev/null || CODE=$?
 	done
 
 	mv DataTables.js.build $OUT_FILE
@@ -70,7 +74,7 @@
 
 	js_compress $OUT_FILE
 
-	cp jquery.js $OUT_DIR
+	#cp jquery.js $OUT_DIR
 	cp integration/* $OUT_DIR
 
 	# Compress the integration files

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message ---
Source: datatables.js
Source-Version: 1.10.13+dfsg-2

We believe that the bug you reported is fixed in the latest version of
datatables.js, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sascha Steinbiss <sa...@debian.org> (supplier of updated datatables.js package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 13 Jan 2017 12:40:37 +0000
Source: datatables.js
Binary: libjs-jquery-datatables
Architecture: source all
Version: 1.10.13+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Sascha Steinbiss <sa...@debian.org>
Description:
 libjs-jquery-datatables - jQuery plug-in that makes nice tables from different 
data sources
Closes: 850879
Changes:
 datatables.js (1.10.13+dfsg-2) unstable; urgency=medium
 .
   * Avoid use of static filenames in /tmp during build.
     Thanks to Christoph Biedl for the patch.
     Closes: #850879
Checksums-Sha1:
 2ecbd2dd8083b2663a094fd9dbc4b8dee8a4249b 2080 datatables.js_1.10.13+dfsg-2.dsc
 6f6c8222b4d87b3a526c3a464efb82167e28bd12 5444 
datatables.js_1.10.13+dfsg-2.debian.tar.xz
 c7def4f5b885cfa4115f6223e772bcb577b26221 6499 
datatables.js_1.10.13+dfsg-2_amd64.buildinfo
 2fb33f1c010dcd6cf61cff1e41cb9c8efdfd0df1 134990 
libjs-jquery-datatables_1.10.13+dfsg-2_all.deb
Checksums-Sha256:
 761f27dac11fedd5b2b5f5258468a306bc1b8b49bbfcdd3d88e7b98434600529 2080 
datatables.js_1.10.13+dfsg-2.dsc
 5f4f9e0642e394e3969d9ea6ba92609db8f16e6c14ad8397047ddcc751917dd0 5444 
datatables.js_1.10.13+dfsg-2.debian.tar.xz
 4269374f700ba1fb63ed316cf50490c109011a4eca2917bd40126e722d373f93 6499 
datatables.js_1.10.13+dfsg-2_amd64.buildinfo
 e2138395bd589931bef874d8946b5a75977ed948b590f77919029e7d0d322d7d 134990 
libjs-jquery-datatables_1.10.13+dfsg-2_all.deb
Files:
 6c92e2c2282a2541cd51148c888373a6 2080 web optional 
datatables.js_1.10.13+dfsg-2.dsc
 76d8e48184e4f7dcd6d8b446d1aeea03 5444 web optional 
datatables.js_1.10.13+dfsg-2.debian.tar.xz
 b17c0f2af09f04e93c1647b6d399c7c3 6499 web optional 
datatables.js_1.10.13+dfsg-2_amd64.buildinfo
 dd9f868f879b795f8495a0bb03928df3 134990 web optional 
libjs-jquery-datatables_1.10.13+dfsg-2_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWzS6WqtVB+kDQm6F6NN64vCfSHIFAlh4y6gACgkQ6NN64vCf
SHJ9fw/+MJp7kxYMYIWqxEKMwJV9gpzZZ2zEoNZC9ITG0/eVwRHppac0f94NRAbm
kIjhtneZfgQxh4PPuThHA1PvUYf2l+cZe4u3iDFSshzScW9Nq25QFuCgeNVdcZR9
6cThyB67MElINDdbt/RvYCMecZh2Vr8alCoLVwj6DJikYKpa3JhO7TFyZ5WmHyuj
k/X4vxJn7pElenOdLHzwh7crIl689Y4or1FlBmstv7MgSuUrW7JJjyWzgnUls4dB
+SQFjUIhm0c/HYkewCb/fxKWMYWJ2xivh7cGyZLv8SX9bQuUx+CgaTNqFjAz5gvG
kkBiLpKM0DlWpVX41mIrW8M5Qw8cgPa07TUqO/bIfrWNg3C7zvWjgDzznAzebf1h
R6r8sJKvPOqJdVk2Xch7f7EQRCxo/UTqWybDImUSeyP11xsQFPpEVxgpFN63HEJT
YeOhehAgzY1dX1Mu4kRgJdoKRog3/HVZ5xpDSWZ3fQtlAviz39J+5+7m/8th23Xk
PSrIhK6UtUrZtSu2b9Ut0tFLOCwIoI3zA859tGrENj6Xd5sOdNPq0nwLEKlKjRh7
v7cAySO0+HR/+fw+sDSSEJYrLOATQPpJaWHpnthTc3JusorcSWUiy4uhkOnBh5G9
NBncfWLZEo/NjFt4iEsNpje6XvgjCs2IlGpjyRaOtrtCWeVSWwA=
=rlMe
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to