Your message dated Sun, 07 Jul 2019 07:40:09 +0000
with message-id <[email protected]>
and subject line Bug#931487: fixed in gcab 1.2-3
has caused the Debian Bug report #931487,
regarding libgcab-1.0-0: corrupts extracted data
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
931487: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931487
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgcab-1.0-0
Version: 1.2-2
Severity: normal
Tags: patch

Dear Maintainer,

libgcab has an overflow bug which causes corruption when extracting
files; see https://gitlab.gnome.org/GNOME/gcab/issues/12 for details
and an example.

https://gitlab.gnome.org/GNOME/gcab/commit/5619f4cd2ca3108c8dea17ba656b5ce44a60ca29
fixes this.

Regards,

Stephen


-- System Information:
Debian Release: 9.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 
'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), 
(1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgcab-1.0-0 depends on:
ii  libc6         2.24-11+deb9u4
ii  libglib2.0-0  2.50.3-2
ii  zlib1g        1:1.2.8.dfsg-5

libgcab-1.0-0 recommends no packages.

libgcab-1.0-0 suggests no packages.

-- no debconf information
commit 5619f4cd2ca3108c8dea17ba656b5ce44a60ca29
Author: Marc-AndrĂ© Lureau <[email protected]>
Date:   Fri Jan 11 19:42:40 2019 +0400

    Revert "decomp: fix gcc warning strict-overflow"
    
    The warning doesn't happen with current build-sys.
    
    The overlapping behaviour is undefined with memcpy. memmove doesn't
    have the same semantic either than the loop. Let's revert!
    
    Fixes:
    https://gitlab.gnome.org/GNOME/gcab/issues/12
    
    This reverts commit e48074952743f53d8ac529d4debc421e7e0f6937.
    
    Signed-off-by: Marc-AndrĂ© Lureau <[email protected]>

diff --git a/libgcab/decomp.c b/libgcab/decomp.c
index 64d97f8..0c2b184 100644
--- a/libgcab/decomp.c
+++ b/libgcab/decomp.c
@@ -1015,9 +1015,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state 
*decomp_state) {
             window_posn += match_length;
 
             /* copy match data - no worries about destination wraps */
-            memcpy(rundest, runsrc, match_length);
-            rundest += match_length;
-            runsrc += match_length;
+            while (match_length-- > 0) *rundest++ = *runsrc++;
           }
         }
         break;
@@ -1106,9 +1104,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state 
*decomp_state) {
             window_posn += match_length;
 
             /* copy match data - no worries about destination wraps */
-            memcpy(rundest, runsrc, match_length);
-            rundest += match_length;
-            runsrc += match_length;
+            while (match_length-- > 0) *rundest++ = *runsrc++;
           }
         }
         break;

--- End Message ---
--- Begin Message ---
Source: gcab
Source-Version: 1.2-3

We believe that the bug you reported is fixed in the latest version of
gcab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <[email protected]> (supplier of updated gcab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Jul 2019 10:18:07 +0200
Source: gcab
Binary: gcab libgcab-1.0-0 libgcab-dev libgcab-doc gir1.2-gcab-1.0
Architecture: source
Version: 1.2-3
Distribution: unstable
Urgency: medium
Maintainer: Stephen Kitt <[email protected]>
Changed-By: Stephen Kitt <[email protected]>
Description:
 gcab       - Microsoft Cabinet file manipulation tool
 gir1.2-gcab-1.0 - Microsoft Cabinet file manipulation library - gir bindings
 libgcab-1.0-0 - Microsoft Cabinet file manipulation library
 libgcab-dev - Microsoft Cabinet file manipulation library - development files
 libgcab-doc - Microsoft Cabinet file manipulation library - documentation
Closes: 931487
Changes:
 gcab (1.2-3) unstable; urgency=medium
 .
   * Apply upstream patch to fix corruption when extracting.
     Closes: #931487. LP: #1835589.
Checksums-Sha1:
 bd4e56aaedbaaeea2c72ace9d5135323caa02b45 2105 gcab_1.2-3.dsc
 c06c3134f58a88f2dd534e61c61f1debfb62040c 6064 gcab_1.2-3.debian.tar.xz
 c4731a15ddf15ebedd36f26465c41bb2f874817d 9448 gcab_1.2-3_source.buildinfo
Checksums-Sha256:
 de7f881a5729f41bee07f74620e950a1f6aa38774e9fcedc07875c9aaecff190 2105 
gcab_1.2-3.dsc
 eab2c39cc05db5595f2d8717d82c7c12fd762dd646bf6448a760d6f4bd939f3d 6064 
gcab_1.2-3.debian.tar.xz
 f5a734684bb54406cbc6e85b9d1cd9d95d11fc9aabcb5f2c0147932780860629 9448 
gcab_1.2-3_source.buildinfo
Files:
 351713f2cc45a05691385c640e55e944 2105 utils optional gcab_1.2-3.dsc
 a52947c0c0f3df9d6081488b68690b5d 6064 utils optional gcab_1.2-3.debian.tar.xz
 2eeda45b7129481ed247de8442820a87 9448 utils optional 
gcab_1.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAl0gX7cACgkQgNMC9Yht
g5xx1hAAnh6UrkKX6slJ1RBxCKd8aY1m4HXmqXlYp/FJXXGQe5SzwK9ksTFPeSUi
ADtziVgTDL0pBp60EAz8VD/jr7l/0WDTeZTquFR5Ee460VFnktDErHNkQMPkAd54
PgxwnZ+g8xMa249cDLQHa47y0dL4S3d5CHarE7qUSmyeMxm024JdYm1U36buO3uK
1ZcdqKfhoDphUZdYDh1LFdoA/UNsSZr6edQZxieHsR6T8UvR2Fgb+pvOcHFaXney
mHQFw/hPVQzaDzjjIE5+SgM6/anJfy/ntpnIC408uW95oDriuotG6TYLpNp/llDm
O9ceK540V9Olf1XTT/QSWE3lCRnp3kB692x1SCzAuo+DTcXueLbb3q6opb6HoLyd
cR5IgWbyss/QN4w+WY7C6yUODckRvvZJLNNEEvCBtWgb9e2duZKoXmLQZl3aoeeA
CyROf5a9gVeqMjk+Jk3MbQt//DgAPkH4wboS8P81P6eEYdC93h4jOKNYLgAZQbki
3rqMtXFtwmC2i1dVhSU9ZDJa/iI+I7Sum4Fig10g/eUQhnExltyYJK5V1FhcQQTN
yB6MCTJnnKzsBa32HV3+6uLw2R4EXIP0uSU0d2701lDhj7BBx+pYZSvuO/SleYBD
L5GfaErSJwGW61jb6dVgSksmOKESStnTVpuG+I6JJbrMKZ8LdL8=
=1PMc
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to