[Raspbian-devel] libpam-ubico and signed char on arm in debian and derivatives

peter green plugwash at p10link.net
Fri Mar 8 01:08:44 UTC 2013 

Simon Josefsson wrote:
> tor 2013-03-07 klockan 13:51 +0000 skrev peter green:
>   
>> I am a cofounder of a project called raspbian to provide a hard float 
>> derivative of debian for the raspberry pi. A user reported a bug to us 
>> about libpam-ubico related (so the reported claims) to char signedness 
>> and linked to a commit in upstream git.
>>
>> https://bugs.launchpad.net/raspbian/+bug/1039577
>> https://github.com/Yubico/yubico-c-client/commit/6fcc3d49d1d9b733c5bd04e4e60d400ed97cda40
>>
>> If this can be reproduced on an official debian port then IMO it's a 
>> grave bug. However I don't own a yubikey myself so there is no way I can 
>> test it and I don't feel comfortable filing a grave bug in debian that I 
>> can't reproduce myself.
>>     
>
> Hi!  If you could build and run the self-test of the ykclient package on
> an internet-connected machine, that should hopefully trigger the bug.
> If so, please file a bug.  Version 2.9 should fix this problem, and
> doesn't contain anything critical, so maybe it could be uploaded if
> indeed this is a grave bug.  I don't have access to any armel devices
> easily.
>   
Ok, the plot thickens.

It seems the signed char bug in the base64 code was made apparent in
debian when they reenabled the testsuite with version 2.8-1 and was
fixed by version 2.8-2. Unfortunately 2.8-1 didn't migrate to testing
because of build failures and 2.8-2 didn't migrate to testing because
of the freeze. Below is a diffstat between the version in testing and
the version in unstable.

plugwash at raspbian:~$ debdiff /home/repo/sourcearchive/main/y/ykclient/ykclient_2.6-1.dsc /home/repo/sourcearchive/main/y/ykclient/ykclient_2.8-2.dsc | diffstat 
 COPYING                    |    2 
 ChangeLog                  |  195 +++
 Makefile.am                |    8 
 Makefile.in                |   18 
 NEWS                       |   29 
 README                     |   15 
 aclocal.m4                 |  256 ++++
 b64/cdecode.c              |   15 
 config.guess               |  223 ++--
 config.sub                 |  156 +-
 configure                  | 1767 ++++++++++++++++++++++----------
 configure.ac               |   13 
 debian/changelog           |   17 
 debian/control             |    2 
 debian/rules               |    1 
 ltmain.sh                  | 2437 ++++++++++++++++++++++++++++++---------------
 m4/libcurl.m4              |  240 ----
 m4/libtool.m4              | 1078 +++++++++++++------
 m4/ltversion.m4            |   12 
 simple.mk                  |    2 
 tests/Makefile.am          |    6 
 tests/Makefile.in          |   16 
 tests/selftest.c           |   52 
 tool.c                     |   37 
 ykclient.c                 |  641 +++++++----
 ykclient.h                 |   17 
 ykclient_server_response.c |   41 
 ykclient_server_response.h |    2 
 28 files changed, 4920 insertions(+), 2378 deletions(-)
plugwash at raspbian:~$

Even with the autohell stuff filtered out the debdiff (filtered debdiff attached) 
still looks pretty intimidating. Release team how should we play this? do you want
to unblock the version in sid or should we look into backporting the base64 fix to
the version in wheezy?

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ykclient-autohellfiltered.debdiff
URL: <http://lists.alioth.debian.org/pipermail/raspbian-devel/attachments/20130308/bcdf4e7c/attachment-0001.ksh>

More information about the Raspbian-devel mailing list