Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?

2019-05-01 Thread Paul Gevers 
Control: tags -1 - moreinfo

On Sun, 14 Apr 2019 20:30:00 + Niels Thykier  wrote:
> Please go ahead with this patch and remove the moreinfo tag once it has
> been fixed.

The upload happened (two of them), the removal of the moreinfo tag was
missing.

Paul



signature.asc
Description: OpenPGP digital signature

Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?

2019-04-14 Thread Niels Thykier 
Control: tags -1 moreinfo confirmed

Gregor Jasny:
> Control: tags -1 - moreinfo
> 
> Hello,
> 
> A new patch turned up and I decided to only cherry-pick the three most
> important patches from the stable-1.16 tree.
> 
> Debdiff is attached.
> 
> If you agree on the changes I will upload via unstable.
> 
> Thanks,
> Gregor

Hi Gregor,

Please go ahead with this patch and remove the moreinfo tag once it has
been fixed.

Please note that you may want to inform upstream of the following
possible bug:

"""
+-  parms->fname = fname;
++  parms->fname = strdup(fname);
++  if (!parms->fname) {
++  dvb_logerr(_("fname calloc: %s"), strerror(errno));
++  return -errno;
++  }
++
"""

Please note that *any* call to a library function (e.g. strerror or _,
which I presume is gettext, or dvb_logerr which sounds like it will do
IO operations) may alter errno.  I.e. the errno returned may no longer
be from the failing strdup.

AFAICT, this is a consistent issue through out the diff and therefore
not really a regression:

"""
+   if (xioctl(fd, FE_GET_PROPERTY, _prop) == -1) {
+   dvb_perror("FE_GET_PROPERTY");
+-  dvb_v5_free(parms);
+   close(fd);
+   return -errno;
+   }
"""

Which is why I am ok with accepting it as it is.  For reference, the
solution is to store "errno" in a local variable immediately after the
failing call.

Thanks,
~Niels

Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?

2019-04-14 Thread Gregor Jasny 

Control: tags -1 - moreinfo

Hello,

A new patch turned up and I decided to only cherry-pick the three most 
important patches from the stable-1.16 tree.


Debdiff is attached.

If you agree on the changes I will upload via unstable.

Thanks,
Gregor
diff -Nru v4l-utils-1.16.3/debian/changelog v4l-utils-1.16.3/debian/changelog
--- v4l-utils-1.16.3/debian/changelog   2018-12-15 19:34:33.0 +0100
+++ v4l-utils-1.16.3/debian/changelog   2019-04-14 14:30:26.0 +0200
@@ -1,3 +1,9 @@
+v4l-utils (1.16.3-2) unstable; urgency=medium
+
+  * Fix double-free and uninitailized memory issue. LP: #1819650
+
+ -- Gregor Jasny   Sun, 14 Apr 2019 14:30:26 +0200
+
 v4l-utils (1.16.3-1) unstable; urgency=medium
 
   * Imported Upstream version 1.16.3
diff -Nru v4l-utils-1.16.3/debian/gbp.conf v4l-utils-1.16.3/debian/gbp.conf
--- v4l-utils-1.16.3/debian/gbp.conf2018-10-06 13:53:55.0 +0200
+++ v4l-utils-1.16.3/debian/gbp.conf2019-04-14 14:23:39.0 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = buster
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff -Nru 
v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch
 
v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch
--- 
v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch
 1970-01-01 01:00:00.0 +0100
+++ 
v4l-utils-1.16.3/debian/patches/0003-dvbv5-tools-be-sure-to-zero-struct-arguments.patch
 2019-04-14 14:28:27.0 +0200
@@ -0,0 +1,50 @@
+Subject: dvbv5-tools: be sure to zero struct arguments
+Author: Mauro Carvalho Chehab 
+Origin: upstream, 
https://git.linuxtv.org/v4l-utils.git/commit/?h=stable-1.16=faef148b1b67bd17f879fd71746532c86e90
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1819650
+
+From 23e5056b0487acdaa56e5569952b5a8f344cf49b Mon Sep 17 00:00:00 2001
+Date: Thu, 14 Mar 2019 19:23:38 -0300
+
+Let's not let the arguments struct with some random value.
+
+Signed-off-by: Mauro Carvalho Chehab 
+---
+ utils/dvb/dvb-format-convert.c | 2 +-
+ utils/dvb/dvbv5-scan.c | 2 +-
+ utils/dvb/dvbv5-zap.c  | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/utils/dvb/dvb-format-convert.c
 b/utils/dvb/dvb-format-convert.c
+@@ -123,7 +123,7 @@
+ 
+ int main(int argc, char **argv)
+ {
+-  struct arguments args;
++  struct arguments args = {};
+   int idx = -1, missing = 0;
+   const struct argp argp = {
+   .options = options,
+--- a/utils/dvb/dvbv5-scan.c
 b/utils/dvb/dvbv5-scan.c
+@@ -450,7 +450,7 @@
+ 
+ int main(int argc, char **argv)
+ {
+-  struct arguments args;
++  struct arguments args = {};
+   int err, lnb = -1,idx = -1;
+   struct dvb_device *dvb;
+   struct dvb_dev_list *dvb_dev;
+--- a/utils/dvb/dvbv5-zap.c
 b/utils/dvb/dvbv5-zap.c
+@@ -1018,7 +1018,7 @@
+ 
+ int main(int argc, char **argv)
+ {
+-  struct arguments args;
++  struct arguments args = {};
+   char *homedir = getenv("HOME");
+   char *channel = NULL;
+   int lnb = -1, idx = -1;
diff -Nru 
v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch
 
v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch
--- 
v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch
  1970-01-01 01:00:00.0 +0100
+++ 
v4l-utils-1.16.3/debian/patches/0005-libdvbv5-leaks-and-double-free-in-dvb_fe_open_fname.patch
  2019-04-14 14:28:25.0 +0200
@@ -0,0 +1,93 @@
+Subject: libdvbv5: leaks and double free in dvb_fe_open_fname()
+Author: Sean Young 
+Origin: upstream, 
https://git.linuxtv.org/v4l-utils.git/commit/?h=stable-1.16=c82608ca1595427c2bdbd4abb9aca9163e1df60a
+Bug-Ubuntu: https://bugs.launchpad.net/raspbian/+bug/1819650
+
+dvb_fe_open_fname() takes ownership of fname if the function succeeds, but
+also in two of the error paths (e.g. if the ioctl FE_GET_PROPERTY fails).
+
+Adjust dvb_fe_open_fname() so it copies fname rather than taking ownership
+(and passing that to params). This makes the code cleaner.
+
+Signed-off-by: Sean Young 
+---
+ lib/libdvbv5/dvb-dev-local.c |  2 +-
+ lib/libdvbv5/dvb-fe.c| 18 --
+ 2 files changed, 9 insertions(+), 11 deletions(-)
+
+--- a/lib/libdvbv5/dvb-dev-local.c
 b/lib/libdvbv5/dvb-dev-local.c
+@@ -467,7 +467,7 @@
+   flags &= ~O_NONBLOCK;
+   }
+ 
+-  ret = dvb_fe_open_fname(parms, strdup(dev->path), flags);
++  ret = dvb_fe_open_fname(parms, dev->path, flags);
+   if (ret) {
+   free(open_dev);
+   return NULL;
+--- a/lib/libdvbv5/dvb-fe.c
 b/lib/libdvbv5/dvb-fe.c
+@@ -133,7 +133,6 @@
+ int flags)
+ {
+

Bug#925936: release.debian.org: Would v4l-utils 1.16.5 match unblocking criteria?

2019-03-31 Thread Niels Thykier 
Control: tags -1 moreinfo

Gregor Jasny:
> Package: release.debian.org
> Severity: normal
> 
> Hello,
> 
> the v4l-utils version in testing (1.16.3) contains some serious bugs:
> * A double free in libdvbv5
> * Uninitialized memory
> * A FTBFS Bug for Ubuntu ARM architectures (Qt OpenGL ES vs. Desktop)
> 
> Upstream released 1.16.5 which is a bugfix release.
> 
> To get a overview about the commits please visit
> https://git.linuxtv.org/v4l-utils.git/log/?h=stable-1.16
> 
> I also attach a debdiff (which is much noisier due to autoconf and
> gettext changes).
> 
> Would you consider an unblock request for 1.16.5? Or should I pick just
> the absolutely necessary patches and apply them to 1.16.3? 
> 
> Thanks,
> Gregor
> 
> [...]
Hi Gregor,

Thanks for request to improve Debian buster.

The changes you highlighted might be relevant for us.  However, the full
debdiff has too much noise to do an evaluation.  Could I have you
provide a filtered debdiff where you remove translations and
auto-generated?  Please also include the filterdiff command used so we
know what we are not reviewing.  When you have uploaded, please remove
the moreinfo tag.

Thanks,
~Niels