Your message dated Wed, 04 Aug 2021 20:34:59 +0000
with message-id <[email protected]>
and subject line unblock perm
has caused the Debian Bug report #991841,
regarding unblock: perm/0.4.0-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991841
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]
Please unblock package perm
[ Reason ]
An autopkgtest was recently added to perm on its git repository, which
resulted in uncovering a buffer overflow. Here's the log:
https://salsa.debian.org/med-team/perm/-/jobs/1788156
AIUI, this is a security issue and such issues are RC
[ Impact ]
The users machine will contain a version of perm which can potentially
cause a buffer overflow
[ Tests ]
Autopkgtests have been added for this release
[ Risks ]
Perm is a leaf package, I do not see any risks
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Some stuff like installing docs in d/docs, or installing autopkgtests in
d/examples might look redundant, but they are needed to run tests in a
sane fashion. These changes are not too major, and are rather harmless.
unblock perm/0.4.0-6
diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog 2021-08-03 00:31:10.000000000 +0530
@@ -1,3 +1,24 @@
+perm (0.4.0-6) unstable; urgency=medium
+
+ * Team Upload.
+ [ Shruti Sridhar ]
+ * d/tests/data: Add testdata
+ * d/tests: Add autopkgtest
+ * d/example: Install test data as example
+ * d/docs: Install d/README.* and d/tests/run-unit-test
+ as documents
+ * d/p/hardening.patch: Add CPPFLAGS which helped detect
+ buffer overflow
+ * d/copyright: Test data has been written by Shruti, mentioning
+ them in copyright for the same
+
+ [ Nilesh Patra ]
+ * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+ instead of strncpy in order to fix buffer overflow
+ * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <[email protected]> Tue, 03 Aug 2021 00:31:10 +0530
+
perm (0.4.0-5) unstable; urgency=medium
* Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control 2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
Uploaders: Andreas Tille <[email protected]>
Section: science
Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/med-team/perm
Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright 2021-08-03 00:31:10.000000000 +0530
@@ -12,6 +12,10 @@
2014-2017 Andreas Tille <[email protected]>
License: Apache-2.0
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <[email protected]>
+License: Apache-2.0
+
License: Apache-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch
perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch 1970-01-01
05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch 2021-08-03
00:30:42.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid
buffer overflow
+Author: Nilesh Patra <[email protected]>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+
+ TARGETS = perm
+-LIBS = -lm -lstdc++
++LIBS = -lm -lstdc++ -lbsd
+
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp
chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp
SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+ return(true);
+ }
+
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+ if (caBuf == NULL) {
+ ERR;
+- return(NULL);
++ return(-1);
+ }
+ int iBufSizeMinus1 = iBufSize - 1;
+- char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++ int returnV = strlcpy(caBuf, str, iBufSizeMinus1);
+ if (iBufSizeMinus1 >= 0) {
+ caBuf[iBufSizeMinus1] = '\0';
+ } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch
perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch 2020-11-24 14:40:20.000000000
+0530
+++ perm-0.4.0/debian/patches/hardening.patch 2021-08-02 17:25:32.000000000
+0530
@@ -2,14 +2,14 @@
Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
Description: Propagate hardening options
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install: all
perm: $(PER_M)
make clean
- $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
$(CPPFLAGS)
#$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
tar: clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series 2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
hardening.patch
spelling.patch
gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+────────────────────────────────────────
+
+This package can be tested by running the provided test:
+
+ sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing
+────────────────────────────────────────
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package.
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta
perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta 1970-01-01 05:30:00.000000000
+0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta 2021-08-02 17:25:32.000000000
+0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta
perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta 1970-01-01 05:30:00.000000000
+0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta 2021-08-02 17:25:32.000000000
+0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test
perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test 1970-01-01 05:30:00.000000000
+0530
+++ perm-0.4.0/debian/tests/run-unit-test 2021-08-03 00:31:10.000000000
+0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+ AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+ trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam
+[ -s "out.sam" ] || exit 1
+echo "PASS test"
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
