Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1

Markus Koschany Fri, 02 Jun 2017 01:46:22 -0700

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


Hi,

I would like to update xarchiver in Jessie. It was discovered that
data loss could occur when an archive name contained shell
metacharacters. [1]

Please find attached the debdiff.

Regards,

Markus


[1] https://bugs.debian.org/862593

diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog
--- xarchiver-0.5.4/debian/changelog    2016-05-15 00:05:35.000000000 +0200
+++ xarchiver-0.5.4/debian/changelog    2017-06-02 10:29:41.000000000 +0200
@@ -1,3 +1,15 @@
+xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium
+
+  [ Chris Lamb ]
+  * Fix data-loss issue where adding files to a tar-based archive removed all
+    existing content when the target filename included shell metacharacters.
+    The test to see whether it already existed to determine whether to create
+    a new archive or simply add a new file incorrectly used an escaped path.
+    Thanks to Nikolaus Rath for the report and Chris Lamb for the patch.
+    (Closes: #862593)
+
+ -- Markus Koschany <a...@debian.org>  Fri, 02 Jun 2017 10:29:41 +0200
+
 xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium
 
   * Add cancel-extraction-crash.patch.
diff -Nru 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch
--- 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch    
    1970-01-01 01:00:00.000000000 +0100
+++ 
xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch    
    2017-06-02 10:29:41.000000000 +0200
@@ -0,0 +1,61 @@
+Description: Pass unescaped filenames to g_file_test
+Author: Chris Lamb <la...@debian.org>
+Last-Update: 2017-05-19
+Debian-Bug: #862593
+
+--- xarchiver-0.5.4.orig/src/tar.c
++++ xarchiver-0.5.4/src/tar.c
+@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GStri
+       switch (archive->type)
+       {
+               case XARCHIVETYPE_TAR:
+-              if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS))
++              if ( g_file_test (archive->path,G_FILE_TEST_EXISTS))
+                       command = g_strconcat (tar, " ",
+                                                                       
archive->add_recurse ? "" : "--no-recursion ",
+                                                                       
archive->remove_files ? "--remove-files " : "",
+@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GStri
+               break;
+ 
+               case XARCHIVETYPE_TAR_BZ2:
+-              if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++              if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+                       xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+               else
+                       command = g_strconcat (tar, " ",
+@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GStri
+               break;
+ 
+               case XARCHIVETYPE_TAR_GZ:
+-              if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++              if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+                       xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+               else
+                       command = g_strconcat (tar, " ",
+@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GStri
+               break;
+               
+               case XARCHIVETYPE_TAR_LZMA:
+-              if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++              if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+                       xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+               else
+                       command = g_strconcat (tar, " ",
+@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GStri
+               break;
+               
+               case XARCHIVETYPE_TAR_XZ:
+-              if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++              if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+                       xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+               else
+                       command = g_strconcat (tar, " ",
+@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GStri
+               break;
+               
+               case XARCHIVETYPE_TAR_LZOP:
+-              if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) 
)
++              if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) )
+                       xa_add_delete_bzip2_gzip_lzma_compressed_tar 
(files,archive,1);
+               else
+                       command = g_strconcat (tar, " ",
diff -Nru xarchiver-0.5.4/debian/patches/series 
xarchiver-0.5.4/debian/patches/series
--- xarchiver-0.5.4/debian/patches/series       2016-05-15 00:05:35.000000000 
+0200
+++ xarchiver-0.5.4/debian/patches/series       2017-06-02 10:29:41.000000000 
+0200
@@ -1,3 +1,4 @@
 desktop-file.patch
 encrypted-7z-archives.patch
 cancel-extraction-crash.patch
+pass-unescaped-filenames-to-g_file_test.patch

Bug#863953: jessie-pu: package xarchiver/1:0.5.4-1+deb8u1

Reply via email to