[Debian-med-packaging] Bug#991841: unblock: perm/0.4.0-6
Nilesh Patra
nilesh at debian.org
Tue Aug 3 06:49:46 BST 2021
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: nilesh at debian.org, debian-med-packaging at lists.alioth.debian.org
Please unblock package perm
[ Reason ]
An autopkgtest was recently added to perm on its git repository, which
resulted in uncovering a buffer overflow. Here's the log:
https://salsa.debian.org/med-team/perm/-/jobs/1788156
AIUI, this is a security issue and such issues are RC
[ Impact ]
The users machine will contain a version of perm which can potentially
cause a buffer overflow
[ Tests ]
Autopkgtests have been added for this release
[ Risks ]
Perm is a leaf package, I do not see any risks
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Some stuff like installing docs in d/docs, or installing autopkgtests in
d/examples might look redundant, but they are needed to run tests in a
sane fashion. These changes are not too major, and are rather harmless.
unblock perm/0.4.0-6
-------------- next part --------------
diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog 2021-08-03 00:31:10.000000000 +0530
@@ -1,3 +1,24 @@
+perm (0.4.0-6) unstable; urgency=medium
+
+ * Team Upload.
+ [ Shruti Sridhar ]
+ * d/tests/data: Add testdata
+ * d/tests: Add autopkgtest
+ * d/example: Install test data as example
+ * d/docs: Install d/README.* and d/tests/run-unit-test
+ as documents
+ * d/p/hardening.patch: Add CPPFLAGS which helped detect
+ buffer overflow
+ * d/copyright: Test data has been written by Shruti, mentioning
+ them in copyright for the same
+
+ [ Nilesh Patra ]
+ * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+ instead of strncpy in order to fix buffer overflow
+ * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <nilesh at debian.org> Tue, 03 Aug 2021 00:31:10 +0530
+
perm (0.4.0-5) unstable; urgency=medium
* Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control 2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
Uploaders: Andreas Tille <tille at debian.org>
Section: science
Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/med-team/perm
Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright 2021-08-03 00:31:10.000000000 +0530
@@ -12,6 +12,10 @@
2014-2017 Andreas Tille <tille at debian.org>
License: Apache-2.0
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <shruti.sridhar99 at gmail.com>
+License: Apache-2.0
+
License: Apache-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch 2021-08-03 00:30:42.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow
+Author: Nilesh Patra <nilesh at debian.org>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+
+ TARGETS = perm
+-LIBS = -lm -lstdc++
++LIBS = -lm -lstdc++ -lbsd
+
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+ return(true);
+ }
+
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+ if (caBuf == NULL) {
+ ERR;
+- return(NULL);
++ return(-1);
+ }
+ int iBufSizeMinus1 = iBufSize - 1;
+- char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++ int returnV = strlcpy(caBuf, str, iBufSizeMinus1);
+ if (iBufSizeMinus1 >= 0) {
+ caBuf[iBufSizeMinus1] = '\0';
+ } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/hardening.patch 2021-08-02 17:25:32.000000000 +0530
@@ -2,14 +2,14 @@
Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
Description: Propagate hardening options
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install: all
perm: $(PER_M)
make clean
- $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++ $(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS)
#$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
tar: clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series 2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series 2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
hardening.patch
spelling.patch
gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+????????????????????????????????????????
+
+This package can be tested by running the provided test:
+
+ sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing
+????????????????????????????????????????
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package.
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta 2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test 1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/run-unit-test 2021-08-03 00:31:10.000000000 +0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+ AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+ trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam
+[ -s "out.sam" ] || exit 1
+echo "PASS test"
More information about the Debian-med-packaging
mailing list