Bug#854923: busybox: "sed -i" bug corrected in version 1.23.0

2017-02-18 Thread Cyril Brulebois 
Hi,

Cyril Chaboisseau  (2017-02-18):
> Fine, but busybox will eventually be upgraded to a newer stable version
> at some point, or it will suffer from old/buggy version with potential
> security holes
> if not, it means that on the long run it will be very difficult to
> cherry-pick those security patches and the project wil not benefit from
> new features and improvements

I'm not disputing that, and that's why I mentioned in my first reply
that I called for help so that others give a hand and get a new upstream
packaged.

> as for bug #854924, don't you think it would have never occured if a
> newer version of busybox were installed? (after 1.23 at least)

With a newer sed (that is: including the fix you linked to), sed -i
would fail because of a missing file to work on, and would have broken
the installation process instead of generating a file with strange
permissions. That's why I mentioned we need to guard the sed call with a
test on its existence. In other words, the fix pushed for #854924 was
needed either way.


KiBi.


signature.asc
Description: Digital signature

Bug#854923: busybox: "sed -i" bug corrected in version 1.23.0

2017-02-18 Thread Cyril Chaboisseau 
Hi Cyril,

Fine, but busybox will eventually be upgraded to a newer stable version
at some point, or it will suffer from old/buggy version with potential
security holes
if not, it means that on the long run it will be very difficult to
cherry-pick those security patches and the project wil not benefit from
new features and improvements

as for bug #854924, don't you think it would have never occured if a
newer version of busybox were installed? (after 1.23 at least)

 Le 18 février vers 18:38, Cyril Brulebois écrivait:
> > this bug https://bugs.busybox.net/show_bug.cgi?id=7484 is corrected in
> > version 1.23.0
> 
> Thanks for the link. Given the patch, we need to be careful about the
> sed -i call anyway (https://bugs.debian.org/854924), since we would be
> setting exitcode to EXIT_FAILURE (and most code has set -e).
> 
> > busybox should be upgrade to a newer stable version 1.23.2 (or newer :
> > 1.26.2)



-- 
Cyril Chaboisseau

Bug#854923: busybox: "sed -i" bug corrected in version 1.23.0

2017-02-18 Thread Cyril Brulebois 
Hi Cyril,

Cyril Chaboisseau  (2017-02-16):
> this bug https://bugs.busybox.net/show_bug.cgi?id=7484 is corrected in
> version 1.23.0

Thanks for the link. Given the patch, we need to be careful about the
sed -i call anyway (https://bugs.debian.org/854924), since we would be
setting exitcode to EXIT_FAILURE (and most code has set -e).

> busybox should be upgrade to a newer stable version 1.23.2 (or newer :
> 1.26.2)

Feel free to join and give a hand! See my call for help:
  https://bugs.debian.org/854181


KiBi.


signature.asc
Description: Digital signature

Bug#854923: busybox: "sed -i" bug corrected in version 1.23.0

2017-02-16 Thread Cyril Chaboisseau 
Package: busybox
Version: 1:1.22.0-19+b1
Followup-For: Bug #854923

this bug
https://bugs.busybox.net/show_bug.cgi?id=7484
is corrected in version 1.23.0

busybox should be upgrade to a newer stable version 1.23.2 (or newer : 1.26.2)


-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (101, 'stable'), (99, 'experimental'), (9, 
'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages busybox depends on:
ii  libc6  2.24-9

busybox recommends no packages.

busybox suggests no packages.

-- no debconf information