Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, I would like to update xarchiver in Jessie. It was discovered that data loss could occur when an archive name contained shell metacharacters. [1] Please find attached the debdiff. Regards, Markus [1] https://bugs.debian.org/862593
diff -Nru xarchiver-0.5.4/debian/changelog xarchiver-0.5.4/debian/changelog --- xarchiver-0.5.4/debian/changelog 2016-05-15 00:05:35.000000000 +0200 +++ xarchiver-0.5.4/debian/changelog 2017-06-02 10:29:41.000000000 +0200 @@ -1,3 +1,15 @@ +xarchiver (1:0.5.4-1+deb8u2) jessie; urgency=medium + + [ Chris Lamb ] + * Fix data-loss issue where adding files to a tar-based archive removed all + existing content when the target filename included shell metacharacters. + The test to see whether it already existed to determine whether to create + a new archive or simply add a new file incorrectly used an escaped path. + Thanks to Nikolaus Rath for the report and Chris Lamb for the patch. + (Closes: #862593) + + -- Markus Koschany <a...@debian.org> Fri, 02 Jun 2017 10:29:41 +0200 + xarchiver (1:0.5.4-1+deb8u1) jessie; urgency=medium * Add cancel-extraction-crash.patch. diff -Nru xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch --- xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 1970-01-01 01:00:00.000000000 +0100 +++ xarchiver-0.5.4/debian/patches/pass-unescaped-filenames-to-g_file_test.patch 2017-06-02 10:29:41.000000000 +0200 @@ -0,0 +1,61 @@ +Description: Pass unescaped filenames to g_file_test +Author: Chris Lamb <la...@debian.org> +Last-Update: 2017-05-19 +Debian-Bug: #862593 + +--- xarchiver-0.5.4.orig/src/tar.c ++++ xarchiver-0.5.4/src/tar.c +@@ -197,7 +197,7 @@ void xa_tar_add (XArchive *archive,GStri + switch (archive->type) + { + case XARCHIVETYPE_TAR: +- if ( g_file_test (archive->escaped_path,G_FILE_TEST_EXISTS)) ++ if ( g_file_test (archive->path,G_FILE_TEST_EXISTS)) + command = g_strconcat (tar, " ", + archive->add_recurse ? "" : "--no-recursion ", + archive->remove_files ? "--remove-files " : "", +@@ -213,7 +213,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_BZ2: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -224,7 +224,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_GZ: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -235,7 +235,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_LZMA: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -246,7 +246,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_XZ: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", +@@ -257,7 +257,7 @@ void xa_tar_add (XArchive *archive,GStri + break; + + case XARCHIVETYPE_TAR_LZOP: +- if ( g_file_test ( archive->escaped_path , G_FILE_TEST_EXISTS ) ) ++ if ( g_file_test ( archive->path , G_FILE_TEST_EXISTS ) ) + xa_add_delete_bzip2_gzip_lzma_compressed_tar (files,archive,1); + else + command = g_strconcat (tar, " ", diff -Nru xarchiver-0.5.4/debian/patches/series xarchiver-0.5.4/debian/patches/series --- xarchiver-0.5.4/debian/patches/series 2016-05-15 00:05:35.000000000 +0200 +++ xarchiver-0.5.4/debian/patches/series 2017-06-02 10:29:41.000000000 +0200 @@ -1,3 +1,4 @@ desktop-file.patch encrypted-7z-archives.patch cancel-extraction-crash.patch +pass-unescaped-filenames-to-g_file_test.patch