Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: jdu...@packages.debian.org Control: affects -1 + src:jdupes
[ Reason ] jdupes is a fork from fdupes. A bug was introduced by the initial fork some years ago. The current fdupes on Debian is already fixed. A warning about this bug was sent by the jdupes upstream (Jody Bruchon) for me via email message. The help option for jdupes says: -d --delete: prompt user for files to preserve and delete all others; [...] Using the command 'jdupes -d .', a prompt will appear: Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink all): It is a mistake to set 2-4 because the jdupes considers one file only. Setting '2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The sentence 'keep which files? (1 - 5' induces the users to use a range and it is not valid. Currently, jdupes is not denying this behaviour and it is generating a data loss. [ Impact ] If the update isn't approved, the users can be induced to select a range of files and it will cause a possible data loss. [ Tests ] Some manual tests have been done over jdupes with a patch created by the upstream. I also tested fdupes to verify if it would be necessary to open a bug against this package. The current fdupes has no issues. [ Risks ] There are no risks, because the patch to fix the issue is trivial, making a check for data inputs and generating better messages for the users. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] A patch, created by the upstream, will improve the messages to be shown to users and will add checks for inputs. [ Other info ] No more info.
diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog --- jdupes-1.21.3/debian/changelog 2023-02-20 06:51:57.000000000 -0300 +++ jdupes-1.21.3/debian/changelog 2023-11-08 11:24:57.000000000 -0300 @@ -1,3 +1,12 @@ +jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium + + * debian/patches/010_fix-data-loss.patch: created to avoid a potential data + loss caused by a wrong message that induces the users to use a range of + values with -d option. Currently, the -d option doesn't understand ranges. + (Closes: #1054237) + + -- Joao Eriberto Mota Filho <eribe...@debian.org> Wed, 08 Nov 2023 11:24:57 -0300 + jdupes (1.21.3-1) unstable; urgency=medium * New upstream version 1.21.3. diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch jdupes-1.21.3/debian/patches/010_fix-data-loss.patch --- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 1969-12-31 21:00:00.000000000 -0300 +++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 2023-11-08 11:24:57.000000000 -0300 @@ -0,0 +1,78 @@ +Description: fix potential data loss + The help option for jdupes says: + -d --delete: prompt user for files to preserve and delete all + others; [...] + . + Using the command 'jdupes -d .', a prompt will appear: + Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink all): + It is a mistake to set 2-4 because the jdupes considers one file + only. Setting '2-4', the file 2 will be kept and the files 3 and 4 + will be deleted. The sentence 'keep which files? (1 - 5' induces + the users to use a range and it is not valid. Currently, jdupes is + not denying this behaviour and it is generating a data loss. + . + This patch fixes this issue. +Author: Jody Bruchon <j...@jodybruchon.com> +Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85 +Bug-Debian: https://bugs.debian.org/1054237 +Last-Update: 2023-10-19 +Index: jdupes/act_deletefiles.c +=================================================================== +--- jdupes.orig/act_deletefiles.c ++++ jdupes/act_deletefiles.c +@@ -101,8 +101,8 @@ void deletefiles(file_t *files, int prom + for (x = 2; x <= counter; x++) preserve[x] = 0; + } else do { + /* Prompt for files to preserve */ +- printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one", +- curgroup, groups, counter); ++ printf("Specify multiple files with commas like this: 1,2,4,6\n"); ++ printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one", curgroup, groups, counter); + #ifndef NO_HARDLINKS + printf(", [l]ink all"); + #endif +@@ -139,6 +139,33 @@ void deletefiles(file_t *files, int prom + + for (x = 1; x <= counter; x++) preserve[x] = 0; + ++ /* Catch attempts to use invalid characters and block them */ ++ for (char *pscheck = preservestr; *pscheck != '\0'; pscheck++) { ++ switch (*pscheck) { ++ case ',': ++ case ' ': ++ case 'a': ++ case 'A': ++ case 's': ++ case 'S': ++ case 'l': ++ case 'L': ++ case 'n': ++ case 'N': ++ case '\n': ++ case '\0': ++ continue; ++ default: ++ break; ++ } ++ if (*pscheck >= '0' && *pscheck <= '9') continue; ++ if (*pscheck == '-') { ++ fprintf(stderr, "error: number ranges are not yet supported; taking no action\n"); ++ goto skip_deletion; ++ } ++ fprintf(stderr, "error: invalid character '%c' in preserve answer; taking no action\n", *pscheck); ++ goto skip_deletion; ++ } + token = strtok(preservestr, " ,\n"); + if (token != NULL) { + #if defined NO_HARDLINKS && defined NO_SYMLINKS +@@ -172,6 +199,10 @@ void deletefiles(file_t *files, int prom + number = 0; + sscanf(token, "%u", &number); + if (number > 0 && number <= counter) preserve[number] = 1; ++ else { ++ fprintf(stderr, "invalid number '%u' in preserve answer; taking no action\n", number); ++ goto skip_deletion; ++ } + + token = strtok(NULL, " ,\n"); + } diff -Nru jdupes-1.21.3/debian/patches/series jdupes-1.21.3/debian/patches/series --- jdupes-1.21.3/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ jdupes-1.21.3/debian/patches/series 2023-11-08 11:24:57.000000000 -0300 @@ -0,0 +1 @@ +010_fix-data-loss.patch