Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055588,
regarding bookworm-pu: package jdupes/1.21.3-1+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055588
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:jdupes
[ Reason ]
jdupes is a fork from fdupes. A bug was introduced by the initial fork some
years ago. The current fdupes on Debian is already fixed. A warning about this
bug was sent by the jdupes upstream (Jody Bruchon) for me via email message.
The help option for jdupes says:
-d --delete: prompt user for files to preserve and delete all
others; [...]
Using the command 'jdupes -d .', a prompt will appear:
Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink
all):
It is a mistake to set 2-4 because the jdupes considers one file only. Setting
'2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The
sentence 'keep which files? (1 - 5' induces the users to use a range and it is
not valid. Currently, jdupes is not denying this behaviour and it is generating
a data loss.
[ Impact ]
If the update isn't approved, the users can be induced to select a range of
files and it will cause a possible data loss.
[ Tests ]
Some manual tests have been done over jdupes with a patch created by the
upstream. I also tested fdupes to verify if it would be necessary to open a bug
against this package. The current fdupes has no issues.
[ Risks ]
There are no risks, because the patch to fix the issue is trivial, making a
check for data inputs and generating better messages for the users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A patch, created by the upstream, will improve the messages to be shown to
users and will add checks for inputs.
[ Other info ]
No more info.
diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog
--- jdupes-1.21.3/debian/changelog 2023-02-20 06:51:57.000000000 -0300
+++ jdupes-1.21.3/debian/changelog 2023-11-08 11:24:57.000000000 -0300
@@ -1,3 +1,12 @@
+jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+ * debian/patches/010_fix-data-loss.patch: created to avoid a potential data
+ loss caused by a wrong message that induces the users to use a range of
+ values with -d option. Currently, the -d option doesn't understand ranges.
+ (Closes: #1054237)
+
+ -- Joao Eriberto Mota Filho <[email protected]> Wed, 08 Nov 2023 11:24:57
-0300
+
jdupes (1.21.3-1) unstable; urgency=medium
* New upstream version 1.21.3.
diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
--- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 1969-12-31
21:00:00.000000000 -0300
+++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 2023-11-08
11:24:57.000000000 -0300
@@ -0,0 +1,78 @@
+Description: fix potential data loss
+ The help option for jdupes says:
+ -d --delete: prompt user for files to preserve and delete all
+ others; [...]
+ .
+ Using the command 'jdupes -d .', a prompt will appear:
+ Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink
all, [s]ymlink all):
+ It is a mistake to set 2-4 because the jdupes considers one file
+ only. Setting '2-4', the file 2 will be kept and the files 3 and 4
+ will be deleted. The sentence 'keep which files? (1 - 5' induces
+ the users to use a range and it is not valid. Currently, jdupes is
+ not denying this behaviour and it is generating a data loss.
+ .
+ This patch fixes this issue.
+Author: Jody Bruchon <[email protected]>
+Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85
+Bug-Debian: https://bugs.debian.org/1054237
+Last-Update: 2023-10-19
+Index: jdupes/act_deletefiles.c
+===================================================================
+--- jdupes.orig/act_deletefiles.c
++++ jdupes/act_deletefiles.c
+@@ -101,8 +101,8 @@ void deletefiles(file_t *files, int prom
+ for (x = 2; x <= counter; x++) preserve[x] = 0;
+ } else do {
+ /* Prompt for files to preserve */
+- printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
+- curgroup, groups, counter);
++ printf("Specify multiple files with commas like this: 1,2,4,6\n");
++ printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
curgroup, groups, counter);
+ #ifndef NO_HARDLINKS
+ printf(", [l]ink all");
+ #endif
+@@ -139,6 +139,33 @@ void deletefiles(file_t *files, int prom
+
+ for (x = 1; x <= counter; x++) preserve[x] = 0;
+
++ /* Catch attempts to use invalid characters and block them */
++ for (char *pscheck = preservestr; *pscheck != '\0'; pscheck++) {
++ switch (*pscheck) {
++ case ',':
++ case ' ':
++ case 'a':
++ case 'A':
++ case 's':
++ case 'S':
++ case 'l':
++ case 'L':
++ case 'n':
++ case 'N':
++ case '\n':
++ case '\0':
++ continue;
++ default:
++ break;
++ }
++ if (*pscheck >= '0' && *pscheck <= '9') continue;
++ if (*pscheck == '-') {
++ fprintf(stderr, "error: number ranges are not yet supported;
taking no action\n");
++ goto skip_deletion;
++ }
++ fprintf(stderr, "error: invalid character '%c' in preserve answer;
taking no action\n", *pscheck);
++ goto skip_deletion;
++ }
+ token = strtok(preservestr, " ,\n");
+ if (token != NULL) {
+ #if defined NO_HARDLINKS && defined NO_SYMLINKS
+@@ -172,6 +199,10 @@ void deletefiles(file_t *files, int prom
+ number = 0;
+ sscanf(token, "%u", &number);
+ if (number > 0 && number <= counter) preserve[number] = 1;
++ else {
++ fprintf(stderr, "invalid number '%u' in preserve answer; taking
no action\n", number);
++ goto skip_deletion;
++ }
+
+ token = strtok(NULL, " ,\n");
+ }
diff -Nru jdupes-1.21.3/debian/patches/series
jdupes-1.21.3/debian/patches/series
--- jdupes-1.21.3/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ jdupes-1.21.3/debian/patches/series 2023-11-08 11:24:57.000000000 -0300
@@ -0,0 +1 @@
+010_fix-data-loss.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3
Hi,
Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.
Regards,
Adam
--- End Message ---
