[Debian-med-packaging] conquest-dicom-server_1.14.16-1_amd64.changes REJECTED

Fri Jul 27 19:10:03 UTC 2012

Hi Luca,

  Quick question for clarification, see below.

On Fri, Jul 27, 2012 at 8:54 PM, Luca Falavigna <ftpmaster at debian.org> wrote:
> some issues discovered by one of our tireless trainees:
>
> - Short description merely repeats the package name.

Agreed, will update.

> - License file: license for debian/* mentions "same as above", which is
>   confusing, and I don't think you mean the libjpeg license.

Sloppy me. I'll clarify my licensing terms.

> - Everything is installed in /usr/lib, which appears to be wrong. The binary
>   called dgate should go to /usr/lib/cgi-bin (even upstream installs it there),

As per §3.7 of webapps:
http://webapps-common.alioth.debian.org/draft/html/ch-issues.html#s-issues-archdep

I believe my installation in '/usr/lib/PACKAGE' is correct, right ?

>   the configuration file dicom.ini should go to /etc, sample.cq should go to
>   /usr/share/doc/conquest-dicom-server/examples, and the rest to /usr/share.

Agreed.

> - conquest-dicom-server-1.14.16/jpeg_encoder.cpp has different authors and
>   different coding style than other source files in that directory. No mention
>   of a license. Authors not mentioned in debian/copyright.

Your tireless trainee is definitely very good at finding those. Thanks.

> - Cppcheck shows a number of errors, including buffer overruns, mismatched
>   new[]/delete, dangerous use of strncpy(). Since this is run as a CGI server,
>   these things could be exploited by remote users.
>
>   [./device.cpp:778]: (error) Dangerous usage of 's' (strncpy doesn't always 0-terminate it)
>   [./dgate.cpp:16228]: (error) Uninitialized variable: format
>   [./dgate.cpp:5306]: (error) Array 'items[4]' index 4 out of bounds
>   [./dgate.cpp:5560]: (error) Uninitialized variable: owned
>   [./nkiqrsop.cpp:5406]: (error) Uninitialized variable: buffer
>   [./rtc.cxx:608]: (error) Mismatching allocation and deallocation: StringTable
>   [./rtc.cxx:673]: (error) Mismatching allocation and deallocation: StringTable
>   [./rtc.cxx:774]: (error) Mismatching allocation and deallocation: StringTable
>   [buffer.cxx:433]: (error) Mismatching allocation and deallocation: Data
>   [device.cpp:247]: (error) Array 'PID[255]' index 255 out of bounds
>   [device.cpp:2748]: (error) Array 'PatientID[255]' index 255 out of bounds
>   [device.cpp:778]: (error) Dangerous usage of 's' (strncpy doesn't always 0-terminate it)
>   [dgate.cpp:10309]: (error) Possible null pointer dereference: IPCBlockPtrInstance
>   [dgate.cpp:16228]: (error) Uninitialized variable: format
>   [dgate.cpp:5306]: (error) Array 'items[4]' index 4 out of bounds
>   [dgate.cpp:5560]: (error) Uninitialized variable: owned
>   [rtc.cxx:608]: (error) Mismatching allocation and deallocation: StringTable
>   [rtc.cxx:673]: (error) Mismatching allocation and deallocation: StringTable
>   [rtc.cxx:774]: (error) Mismatching allocation and deallocation: StringTable

Agreed. But the task seems overwhelming for me. I need to talk to
upstream first.

Thanks !
-M