Package: xdelta3 Version: 3.0.8-dfsg-1.1 Severity: normal Tags: patch pending
Dear Andrea, I've prepared an NMU for xdelta3 (versioned as 3.0.8-dfsg-1.2) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. This actually should have been even better included in my previous NMU (adding the tests and fixing the lzma tests). Regards, Salvatore
diff -Nru xdelta3-3.0.8-dfsg/debian/changelog xdelta3-3.0.8-dfsg/debian/changelog --- xdelta3-3.0.8-dfsg/debian/changelog 2016-02-10 21:33:48.000000000 +0100 +++ xdelta3-3.0.8-dfsg/debian/changelog 2016-02-19 19:11:56.000000000 +0100 @@ -1,3 +1,12 @@ +xdelta3 (3.0.8-dfsg-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Update CVE-2014-9765.patch. + Add as well tests that the default appheader works. + * Fix LZMA tests (Closes: #740284) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 19 Feb 2016 13:23:39 +0100 + xdelta3 (3.0.8-dfsg-1.1) unstable; urgency=high * Non-maintainer upload. diff -Nru xdelta3-3.0.8-dfsg/debian/patches/CVE-2014-9765.patch xdelta3-3.0.8-dfsg/debian/patches/CVE-2014-9765.patch --- xdelta3-3.0.8-dfsg/debian/patches/CVE-2014-9765.patch 2016-02-10 21:33:48.000000000 +0100 +++ xdelta3-3.0.8-dfsg/debian/patches/CVE-2014-9765.patch 2016-02-19 19:11:56.000000000 +0100 @@ -2,14 +2,21 @@ Origin: upstream, https://github.com/jmacd/xdelta/commit/969e65d3a5d70442f5bafd726bcef47a0b48edd8 Bug-Debian: https://bugs.debian.org/814067 Forwarded: not-needed -Author: "josh.macdonald" <jm...@users.noreply.github.com> +Author: Josh MacDonald <josh.macdon...@gmail.com> Reviewed-by: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2016-02-10 Applied-Upstream: 3.0.9 +--- + xdelta3-main.h | 5 ++-- + xdelta3-test.h | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 83 insertions(+), 5 deletions(-) + +diff --git a/xdelta3-main.h b/xdelta3-main.h +index 090b7d9..5146b38 100644 --- a/xdelta3-main.h +++ b/xdelta3-main.h -@@ -2810,14 +2810,15 @@ main_get_appheader (xd3_stream *stream, +@@ -2810,14 +2810,15 @@ main_get_appheader (xd3_stream *stream, main_file *ifile, if (appheadsz > 0) { @@ -27,3 +34,132 @@ { *slash = 0; parsed[place++] = start; +diff --git a/xdelta3-test.h b/xdelta3-test.h +index e9848b6..dd45528 100644 +--- a/xdelta3-test.h ++++ b/xdelta3-test.h +@@ -166,7 +166,7 @@ static int do_cmd (xd3_stream *stream, const char *buf) + { + stream->msg = "abnormal command termination"; + } +- return XD3_INTERNAL; ++ return ret; + } + return 0; + } +@@ -429,12 +429,12 @@ test_compare_files (const char* tgt, const char *rec) + } + + static int +-test_save_copy (const char *origname) ++test_copy_to (const char *from, const char *to) + { + char buf[TESTBUFSIZE]; + int ret; + +- snprintf_func (buf, TESTBUFSIZE, "cp -f %s %s", origname, TEST_COPY_FILE); ++ snprintf_func (buf, TESTBUFSIZE, "cp -f %s %s", from, to); + + if ((ret = system (buf)) != 0) + { +@@ -445,6 +445,12 @@ test_save_copy (const char *origname) + } + + static int ++test_save_copy (const char *origname) ++{ ++ return test_copy_to(origname, TEST_COPY_FILE); ++} ++ ++static int + test_file_size (const char* file, xoff_t *size) + { + struct stat sbuf; +@@ -2361,6 +2367,76 @@ test_no_output (xd3_stream *stream, int ignore) + return 0; + } + ++/* This tests that the default appheader works */ ++static int ++test_appheader (xd3_stream *stream, int ignore) ++{ ++ int i; ++ int ret; ++ char buf[TESTBUFSIZE]; ++ char bogus[TESTBUFSIZE]; ++ xoff_t ssize, tsize; ++ test_setup (); ++ ++ if ((ret = test_make_inputs (stream, &ssize, &tsize))) { return ret; } ++ ++ snprintf_func (buf, TESTBUFSIZE, "%s -q -f -e -s %s %s %s", program_name, ++ TEST_SOURCE_FILE, TEST_TARGET_FILE, TEST_DELTA_FILE); ++ if ((ret = do_cmd (stream, buf))) { return ret; } ++ ++ if ((ret = test_copy_to (program_name, TEST_RECON2_FILE))) { return ret; } ++ ++ snprintf_func (buf, TESTBUFSIZE, "chmod 0700 %s", TEST_RECON2_FILE); ++ if ((ret = do_cmd (stream, buf))) { return ret; } ++ ++ if ((ret = test_save_copy (TEST_TARGET_FILE))) { return ret; } ++ if ((ret = test_copy_to (TEST_SOURCE_FILE, TEST_TARGET_FILE))) { return ret; } ++ ++ if ((ret = test_compare_files (TEST_TARGET_FILE, TEST_COPY_FILE)) == 0) ++ { ++ return XD3_INVALID; // I.e., files are different! ++ } ++ ++ // Test that the target file is restored. ++ snprintf_func (buf, TESTBUFSIZE, "(cd /tmp && %s -q -f -d %s)", ++ TEST_RECON2_FILE, ++ TEST_DELTA_FILE); ++ if ((ret = do_cmd (stream, buf))) { return ret; } ++ ++ if ((ret = test_compare_files (TEST_TARGET_FILE, TEST_COPY_FILE)) != 0) ++ { ++ return ret; ++ } ++ ++ // Test a malicious string w/ entries > 4 in the appheader by having ++ // the encoder write it: ++ for (i = 0; i < TESTBUFSIZE / 4; ++i) ++ { ++ bogus[2*i] = 'G'; ++ bogus[2*i+1] = '/'; ++ } ++ bogus[TESTBUFSIZE/2-1] = 0; ++ ++ snprintf_func (buf, TESTBUFSIZE, ++ "%s -q -f -A=%s -e -s %s %s %s", program_name, bogus, ++ TEST_SOURCE_FILE, TEST_TARGET_FILE, TEST_DELTA_FILE); ++ if ((ret = do_cmd (stream, buf))) { return ret; } ++ // Then read it: ++ snprintf_func (buf, TESTBUFSIZE, "(cd /tmp && %s -q -f -d %s)", ++ TEST_RECON2_FILE, ++ TEST_DELTA_FILE); ++ if ((ret = do_cmd (stream, buf)) == 0) ++ { ++ return XD3_INVALID; // Impossible ++ } ++ if (!WIFEXITED(ret)) ++ { ++ return XD3_INVALID; // Must have crashed! ++ } ++ ++ return 0; ++} ++ + /*********************************************************************** + Source identical optimization + ***********************************************************************/ +@@ -2848,6 +2924,7 @@ xd3_selftest (void) + DO_TEST (force_behavior, 0, 0); + DO_TEST (stdout_behavior, 0, 0); + DO_TEST (no_output, 0, 0); ++ DO_TEST (appheader, 0, 0); + DO_TEST (command_line_arguments, 0, 0); + + #if EXTERNAL_COMPRESSION +-- +2.7.0 + diff -Nru xdelta3-3.0.8-dfsg/debian/patches/fix_lzma_test.patch xdelta3-3.0.8-dfsg/debian/patches/fix_lzma_test.patch --- xdelta3-3.0.8-dfsg/debian/patches/fix_lzma_test.patch 1970-01-01 01:00:00.000000000 +0100 +++ xdelta3-3.0.8-dfsg/debian/patches/fix_lzma_test.patch 2016-02-19 19:11:56.000000000 +0100 @@ -0,0 +1,25 @@ +Description: Fix LZMA tests +Origin: upstream, https://github.com/jmacd/xdelta-devel/commit/806836136cec2eeb763b4b539d4d41bc2c5bbf5c +Bug: https://github.com/jmacd/xdelta/issues/159 +Bug-Debian: https://bugs.debian.org/740284 +Forwarded: not-needed +Author: Josh MacDonald <josh.macdon...@gmail.com> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-02-19 + +--- + +--- a/xdelta3-test.h ++++ b/xdelta3-test.h +@@ -1059,9 +1059,9 @@ test_decompress_single_bit_error (xd3_st + } + + /* Check expected non-failures */ +- if (non_failures != expected_non_failures) ++ if (non_failures > expected_non_failures) + { +- XPR(NT "non-failures %u; expected %u", ++ XPR(NT "non-failures %u > expected %u", + non_failures, expected_non_failures); + stream->msg = "incorrect"; + return XD3_INTERNAL; diff -Nru xdelta3-3.0.8-dfsg/debian/patches/series xdelta3-3.0.8-dfsg/debian/patches/series --- xdelta3-3.0.8-dfsg/debian/patches/series 2016-02-10 21:33:48.000000000 +0100 +++ xdelta3-3.0.8-dfsg/debian/patches/series 2016-02-19 19:11:56.000000000 +0100 @@ -4,3 +4,4 @@ Q_not_u manpage_lzma CVE-2014-9765.patch +fix_lzma_test.patch