Bug#991841: unblock: perm/0.4.0-6

Nilesh Patra Mon, 02 Aug 2021 22:51:27 -0700

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]


Please unblock package perm

[ Reason ]
An autopkgtest was recently added to perm on its git repository, which
resulted in uncovering a buffer overflow. Here's the log:

https://salsa.debian.org/med-team/perm/-/jobs/1788156

AIUI, this is a security issue and such issues are RC

[ Impact ]
The users machine will contain a version of perm which can potentially
cause a buffer overflow

[ Tests ]
Autopkgtests have been added for this release

[ Risks ]
Perm is a leaf package, I do not see any risks

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Some stuff like installing docs in d/docs, or installing autopkgtests in
d/examples might look redundant, but they are needed to run tests in a
sane fashion. These changes are not too major, and are rather harmless.

unblock perm/0.4.0-6

diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog 2021-08-03 00:31:10.000000000 +0530
@@ -1,3 +1,24 @@
+perm (0.4.0-6) unstable; urgency=medium
+
+  * Team Upload.
+  [ Shruti Sridhar ]
+  * d/tests/data: Add testdata
+  * d/tests: Add autopkgtest
+  * d/example: Install test data as example
+  * d/docs: Install d/README.* and d/tests/run-unit-test
+    as documents
+  * d/p/hardening.patch: Add CPPFLAGS which helped detect
+    buffer overflow
+  * d/copyright: Test data has been written by Shruti, mentioning
+    them in copyright for the same
+
+  [ Nilesh Patra ]
+  * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+    instead of strncpy in order to fix buffer overflow
+  * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <[email protected]>  Tue, 03 Aug 2021 00:31:10 +0530
+
 perm (0.4.0-5) unstable; urgency=medium
 
   * Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control   2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control   2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
 Uploaders: Andreas Tille <[email protected]>
 Section: science
 Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/med-team/perm
 Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright 2021-08-03 00:31:10.000000000 +0530
@@ -12,6 +12,10 @@
                2014-2017 Andreas Tille <[email protected]>
 License: Apache-2.0
 
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <[email protected]>
+License: Apache-2.0
+
 License: Apache-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs      1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs      2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples  1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples  2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch 
perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 
05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch 2021-08-03 
00:30:42.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid 
buffer overflow
+Author: Nilesh Patra <[email protected]>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+ 
+ TARGETS = perm
+-LIBS = -lm -lstdc++ 
++LIBS = -lm -lstdc++ -lbsd 
+  
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp 
chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp 
SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+     return(true);
+ }
+ 
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+     if (caBuf == NULL) {
+         ERR;
+-        return(NULL);
++        return(-1);
+     }
+     int iBufSizeMinus1 = iBufSize - 1;
+-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++    int returnV = strlcpy(caBuf, str, iBufSizeMinus1);
+     if (iBufSizeMinus1 >= 0) {
+         caBuf[iBufSizeMinus1] = '\0';
+     } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch 
perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch   2020-11-24 14:40:20.000000000 
+0530
+++ perm-0.4.0/debian/patches/hardening.patch   2021-08-02 17:25:32.000000000 
+0530
@@ -2,14 +2,14 @@
 Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
 Description: Propagate hardening options
 
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install:     all
  
  perm: $(PER_M)
        make clean
 -      $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+      $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++      $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) 
$(CPPFLAGS)
        #$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
  
  tar:  clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series    2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series    2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
 hardening.patch
 spelling.patch
 gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test       1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test       2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+────────────────────────────────────────
+
+This package can be tested by running the provided test:
+
+    sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing 
+────────────────────────────────────────
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package. 
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control     1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control     2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta 
perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta    1970-01-01 05:30:00.000000000 
+0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta    2021-08-02 17:25:32.000000000 
+0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta 
perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta      1970-01-01 05:30:00.000000000 
+0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta      2021-08-02 17:25:32.000000000 
+0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test 
perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test       1970-01-01 05:30:00.000000000 
+0530
+++ perm-0.4.0/debian/tests/run-unit-test       2021-08-03 00:31:10.000000000 
+0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+  AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+  trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam  
+[ -s "out.sam" ] || exit 1
+echo "PASS test"

Bug#991841: unblock: perm/0.4.0-6

Reply via email to