Bug#1055588: bookworm-pu: package jdupes/1.21.3-1+deb12u1

2023-12-02 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2023-11-08 at 12:29 -0300, Joao Eriberto Mota Filho wrote:
> jdupes is a fork from fdupes. A bug was introduced by the initial
> fork some years ago. The current fdupes on Debian is already fixed. A
> warning about this bug was sent by the jdupes upstream (Jody Bruchon)
> for me via email message.
> 
> The help option for jdupes says:
>   -d --delete: prompt user for files to preserve and delete all
>    others; [...]
> 
> Using the command 'jdupes -d .', a prompt will appear:
> 
>   Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all,
> [s]ymlink all):
> 
> It is a mistake to set 2-4 because the jdupes considers one file
> only. Setting '2-4', the file 2 will be kept and the files 3 and 4
> will be deleted. The sentence 'keep which files? (1 - 5' induces the
> users to use a range and it is not valid. Currently, jdupes is not
> denying this behaviour and it is generating a data loss.

Please go ahead.

Regards,

Adam

Bug#1055588: bookworm-pu: package jdupes/1.21.3-1+deb12u1

2023-11-08 Thread Joao Eriberto Mota Filho 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jdu...@packages.debian.org
Control: affects -1 + src:jdupes

[ Reason ]
jdupes is a fork from fdupes. A bug was introduced by the initial fork some
years ago. The current fdupes on Debian is already fixed. A warning about this
bug was sent by the jdupes upstream (Jody Bruchon) for me via email message.

The help option for jdupes says:
  -d --delete: prompt user for files to preserve and delete all
   others; [...]

Using the command 'jdupes -d .', a prompt will appear:

  Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink 
all):

It is a mistake to set 2-4 because the jdupes considers one file only. Setting
'2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The
sentence 'keep which files? (1 - 5' induces the users to use a range and it is
not valid. Currently, jdupes is not denying this behaviour and it is generating
a data loss.

[ Impact ]
If the update isn't approved, the users can be induced to select a range of
files and it will cause a possible data loss.

[ Tests ]
Some manual tests have been done over jdupes with a patch created by the
upstream. I also tested fdupes to verify if it would be necessary to open a bug
against this package. The current fdupes has no issues.

[ Risks ]
There are no risks, because the patch to fix the issue is trivial, making a
check for data inputs and generating better messages for the users.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A patch, created by the upstream, will improve the messages to be shown to
users and will add checks for inputs.

[ Other info ]
No more info.
diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog
--- jdupes-1.21.3/debian/changelog  2023-02-20 06:51:57.0 -0300
+++ jdupes-1.21.3/debian/changelog  2023-11-08 11:24:57.0 -0300
@@ -1,3 +1,12 @@
+jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+  * debian/patches/010_fix-data-loss.patch: created to avoid a potential data
+loss caused by a wrong message that induces the users to use a range of
+values with -d option. Currently, the -d option doesn't understand ranges.
+(Closes: #1054237)
+
+ -- Joao Eriberto Mota Filho   Wed, 08 Nov 2023 11:24:57 
-0300
+
 jdupes (1.21.3-1) unstable; urgency=medium
 
   * New upstream version 1.21.3.
diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch 
jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
--- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch1969-12-31 
21:00:00.0 -0300
+++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch2023-11-08 
11:24:57.0 -0300
@@ -0,0 +1,78 @@
+Description: fix potential data loss
+ The help option for jdupes says:
+   -d --delete: prompt user for files to preserve and delete all
+others; [...]
+ .
+ Using the command 'jdupes -d .', a prompt will appear:
+   Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink 
all, [s]ymlink all):
+ It is a mistake to set 2-4 because the jdupes considers one file
+ only. Setting '2-4', the file 2 will be kept and the files 3 and 4
+ will be deleted. The sentence 'keep which files? (1 - 5' induces
+ the users to use a range and it is not valid. Currently, jdupes is
+ not denying this behaviour and it is generating a data loss.
+ .
+ This patch fixes this issue.
+Author: Jody Bruchon 
+Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85
+Bug-Debian: https://bugs.debian.org/1054237
+Last-Update: 2023-10-19
+Index: jdupes/act_deletefiles.c
+===
+--- jdupes.orig/act_deletefiles.c
 jdupes/act_deletefiles.c
+@@ -101,8 +101,8 @@ void deletefiles(file_t *files, int prom
+ for (x = 2; x <= counter; x++) preserve[x] = 0;
+   } else do {
+ /* Prompt for files to preserve */
+-printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
+-  curgroup, groups, counter);
++printf("Specify multiple files with commas like this: 1,2,4,6\n");
++printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one", 
curgroup, groups, counter);
+ #ifndef NO_HARDLINKS
+printf(", [l]ink all");
+ #endif
+@@ -139,6 +139,33 @@ void deletefiles(file_t *files, int prom
+ 
+ for (x = 1; x <= counter; x++) preserve[x] = 0;
+ 
++  /* Catch attempts to use invalid characters and block them */
++for (char *pscheck = preservestr; *pscheck != '\0'; pscheck++) {
++  switch (*pscheck) {
++case ',':
++