Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jdu...@packages.debian.org
Control: affects -1 + src:jdupes
[ Reason ]
jdupes is a fork from fdupes. A bug was introduced by the initial fork some
years ago. The current fdupes on Debian is already fixed. A warning about this
bug was sent by the jdupes upstream (Jody Bruchon) for me via email message.
The help option for jdupes says:
-d --delete: prompt user for files to preserve and delete all
others; [...]
Using the command 'jdupes -d .', a prompt will appear:
Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink
all):
It is a mistake to set 2-4 because the jdupes considers one file only. Setting
'2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The
sentence 'keep which files? (1 - 5' induces the users to use a range and it is
not valid. Currently, jdupes is not denying this behaviour and it is generating
a data loss.
[ Impact ]
If the update isn't approved, the users can be induced to select a range of
files and it will cause a possible data loss.
[ Tests ]
Some manual tests have been done over jdupes with a patch created by the
upstream. I also tested fdupes to verify if it would be necessary to open a bug
against this package. The current fdupes has no issues.
[ Risks ]
There are no risks, because the patch to fix the issue is trivial, making a
check for data inputs and generating better messages for the users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
A patch, created by the upstream, will improve the messages to be shown to
users and will add checks for inputs.
[ Other info ]
No more info.
diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog
--- jdupes-1.21.3/debian/changelog 2023-02-20 06:51:57.0 -0300
+++ jdupes-1.21.3/debian/changelog 2023-11-08 11:24:57.0 -0300
@@ -1,3 +1,12 @@
+jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+ * debian/patches/010_fix-data-loss.patch: created to avoid a potential data
+loss caused by a wrong message that induces the users to use a range of
+values with -d option. Currently, the -d option doesn't understand ranges.
+(Closes: #1054237)
+
+ -- Joao Eriberto Mota Filho Wed, 08 Nov 2023 11:24:57
-0300
+
jdupes (1.21.3-1) unstable; urgency=medium
* New upstream version 1.21.3.
diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
--- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch1969-12-31
21:00:00.0 -0300
+++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch2023-11-08
11:24:57.0 -0300
@@ -0,0 +1,78 @@
+Description: fix potential data loss
+ The help option for jdupes says:
+ -d --delete: prompt user for files to preserve and delete all
+others; [...]
+ .
+ Using the command 'jdupes -d .', a prompt will appear:
+ Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink
all, [s]ymlink all):
+ It is a mistake to set 2-4 because the jdupes considers one file
+ only. Setting '2-4', the file 2 will be kept and the files 3 and 4
+ will be deleted. The sentence 'keep which files? (1 - 5' induces
+ the users to use a range and it is not valid. Currently, jdupes is
+ not denying this behaviour and it is generating a data loss.
+ .
+ This patch fixes this issue.
+Author: Jody Bruchon
+Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85
+Bug-Debian: https://bugs.debian.org/1054237
+Last-Update: 2023-10-19
+Index: jdupes/act_deletefiles.c
+===
+--- jdupes.orig/act_deletefiles.c
jdupes/act_deletefiles.c
+@@ -101,8 +101,8 @@ void deletefiles(file_t *files, int prom
+ for (x = 2; x <= counter; x++) preserve[x] = 0;
+ } else do {
+ /* Prompt for files to preserve */
+-printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
+- curgroup, groups, counter);
++printf("Specify multiple files with commas like this: 1,2,4,6\n");
++printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
curgroup, groups, counter);
+ #ifndef NO_HARDLINKS
+printf(", [l]ink all");
+ #endif
+@@ -139,6 +139,33 @@ void deletefiles(file_t *files, int prom
+
+ for (x = 1; x <= counter; x++) preserve[x] = 0;
+
++ /* Catch attempts to use invalid characters and block them */
++for (char *pscheck = preservestr; *pscheck != '\0'; pscheck++) {
++ switch (*pscheck) {
++case ',':
++