Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jdu...@packages.debian.org
Control: affects -1 + src:jdupes
[ Reason ]
jdupes is a fork from fdupes. A bug was introduced by the initial fork some
years ago. The current fdupes on Debian is already fixed. A warning about this
bug was sent by the jdupes upstream (Jody Bruchon) for me via email message.
The help option for jdupes says:
-d --delete: prompt user for files to preserve and delete all
others; [...]
Using the command 'jdupes -d .', a prompt will appear:
Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink
all):
It is a mistake to set 2-4 because the jdupes considers one file only. Setting
'2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The
sentence 'keep which files? (1 - 5' induces the users to use a range and it is
not valid. Currently, jdupes is not denying this behaviour and it is generating
a data loss.
[ Impact ]
If the update isn't approved, the users can be induced to select a range of
files and it will cause a possible data loss.
[ Tests ]
Some manual tests have been done over jdupes with a patch created by the
upstream. I also tested fdupes to verify if it would be necessary to open a bug
against this package. The current fdupes has no issues.
[ Risks ]
There are no risks, because the patch to fix the issue is trivial, making a
check for data inputs and generating better messages for the users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A patch, created by the upstream, will improve the messages to be shown to
users and will add checks for inputs.
[ Other info ]
No more info.
diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog
--- jdupes-1.21.3/debian/changelog 2023-02-20 06:51:57.000000000 -0300
+++ jdupes-1.21.3/debian/changelog 2023-11-08 11:24:57.000000000 -0300
@@ -1,3 +1,12 @@
+jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+ * debian/patches/010_fix-data-loss.patch: created to avoid a potential data
+ loss caused by a wrong message that induces the users to use a range of
+ values with -d option. Currently, the -d option doesn't understand ranges.
+ (Closes: #1054237)
+
+ -- Joao Eriberto Mota Filho <eribe...@debian.org> Wed, 08 Nov 2023 11:24:57
-0300
+
jdupes (1.21.3-1) unstable; urgency=medium
* New upstream version 1.21.3.
diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
--- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 1969-12-31
21:00:00.000000000 -0300
+++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 2023-11-08
11:24:57.000000000 -0300
@@ -0,0 +1,78 @@
+Description: fix potential data loss
+ The help option for jdupes says:
+ -d --delete: prompt user for files to preserve and delete all
+ others; [...]
+ .
+ Using the command 'jdupes -d .', a prompt will appear:
+ Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink
all, [s]ymlink all):
+ It is a mistake to set 2-4 because the jdupes considers one file
+ only. Setting '2-4', the file 2 will be kept and the files 3 and 4
+ will be deleted. The sentence 'keep which files? (1 - 5' induces
+ the users to use a range and it is not valid. Currently, jdupes is
+ not denying this behaviour and it is generating a data loss.
+ .
+ This patch fixes this issue.
+Author: Jody Bruchon <j...@jodybruchon.com>
+Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85
+Bug-Debian: https://bugs.debian.org/1054237
+Last-Update: 2023-10-19
+Index: jdupes/act_deletefiles.c
+===================================================================
+--- jdupes.orig/act_deletefiles.c
++++ jdupes/act_deletefiles.c
+@@ -101,8 +101,8 @@ void deletefiles(file_t *files, int prom
+ for (x = 2; x <= counter; x++) preserve[x] = 0;
+ } else do {
+ /* Prompt for files to preserve */
+- printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
+- curgroup, groups, counter);
++ printf("Specify multiple files with commas like this: 1,2,4,6\n");
++ printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
curgroup, groups, counter);
+ #ifndef NO_HARDLINKS
+ printf(", [l]ink all");
+ #endif
+@@ -139,6 +139,33 @@ void deletefiles(file_t *files, int prom
+
+ for (x = 1; x <= counter; x++) preserve[x] = 0;
+
++ /* Catch attempts to use invalid characters and block them */
++ for (char *pscheck = preservestr; *pscheck != '\0'; pscheck++) {
++ switch (*pscheck) {
++ case ',':
++ case ' ':
++ case 'a':
++ case 'A':
++ case 's':
++ case 'S':
++ case 'l':
++ case 'L':
++ case 'n':
++ case 'N':
++ case '\n':
++ case '\0':
++ continue;
++ default:
++ break;
++ }
++ if (*pscheck >= '0' && *pscheck <= '9') continue;
++ if (*pscheck == '-') {
++ fprintf(stderr, "error: number ranges are not yet supported;
taking no action\n");
++ goto skip_deletion;
++ }
++ fprintf(stderr, "error: invalid character '%c' in preserve answer;
taking no action\n", *pscheck);
++ goto skip_deletion;
++ }
+ token = strtok(preservestr, " ,\n");
+ if (token != NULL) {
+ #if defined NO_HARDLINKS && defined NO_SYMLINKS
+@@ -172,6 +199,10 @@ void deletefiles(file_t *files, int prom
+ number = 0;
+ sscanf(token, "%u", &number);
+ if (number > 0 && number <= counter) preserve[number] = 1;
++ else {
++ fprintf(stderr, "invalid number '%u' in preserve answer; taking
no action\n", number);
++ goto skip_deletion;
++ }
+
+ token = strtok(NULL, " ,\n");
+ }
diff -Nru jdupes-1.21.3/debian/patches/series
jdupes-1.21.3/debian/patches/series
--- jdupes-1.21.3/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ jdupes-1.21.3/debian/patches/series 2023-11-08 11:24:57.000000000 -0300
@@ -0,0 +1 @@
+010_fix-data-loss.patch
