Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, Would it be possible to consider a stable update to gcab 1.2-3 (or its equivalent as a stable upload)? It fixes a data corruption bug, #913487; that’s the only change between 1.2-2, which is in Buster, and 1.2-3, which is in Bullseye. The debdiff is as follows: diff -Nru gcab-1.2/debian/changelog gcab-1.2/debian/changelog --- gcab-1.2/debian/changelog 2018-12-22 12:37:31.000000000 +0100 +++ gcab-1.2/debian/changelog 2019-07-06 10:18:07.000000000 +0200 @@ -1,3 +1,10 @@ +gcab (1.2-3) unstable; urgency=medium + + * Apply upstream patch to fix corruption when extracting. + Closes: #931487. LP: #1835589. + + -- Stephen Kitt <sk...@debian.org> Sat, 06 Jul 2019 10:18:07 +0200 + gcab (1.2-2) unstable; urgency=medium * Avoid needing PATH_MAX, so we can build on Hurd. Closes: #888640; diff -Nru gcab-1.2/debian/patches/overflow.patch gcab-1.2/debian/patches/overflow.patch --- gcab-1.2/debian/patches/overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ gcab-1.2/debian/patches/overflow.patch 2019-07-06 10:16:47.000000000 +0200 @@ -0,0 +1,44 @@ +commit 5619f4cd2ca3108c8dea17ba656b5ce44a60ca29 +Author: Marc-André Lureau <marcandre.lur...@redhat.com> +Date: Fri Jan 11 19:42:40 2019 +0400 + + Revert "decomp: fix gcc warning strict-overflow" + + The warning doesn't happen with current build-sys. + + The overlapping behaviour is undefined with memcpy. memmove doesn't + have the same semantic either than the loop. Let's revert! + + Fixes: + https://gitlab.gnome.org/GNOME/gcab/issues/12 + + This reverts commit e48074952743f53d8ac529d4debc421e7e0f6937. + + Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> + +diff --git a/libgcab/decomp.c b/libgcab/decomp.c +index 64d97f8..0c2b184 100644 +--- a/libgcab/decomp.c ++++ b/libgcab/decomp.c +@@ -1015,9 +1015,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state *decomp_state) { + window_posn += match_length; + + /* copy match data - no worries about destination wraps */ +- memcpy(rundest, runsrc, match_length); +- rundest += match_length; +- runsrc += match_length; ++ while (match_length-- > 0) *rundest++ = *runsrc++; + } + } + break; +@@ -1106,9 +1104,7 @@ int LZXfdi_decomp(int inlen, int outlen, fdi_decomp_state *decomp_state) { + window_posn += match_length; + + /* copy match data - no worries about destination wraps */ +- memcpy(rundest, runsrc, match_length); +- rundest += match_length; +- runsrc += match_length; ++ while (match_length-- > 0) *rundest++ = *runsrc++; + } + } + break; diff -Nru gcab-1.2/debian/patches/series gcab-1.2/debian/patches/series --- gcab-1.2/debian/patches/series 2018-12-22 12:34:22.000000000 +0100 +++ gcab-1.2/debian/patches/series 2019-07-06 10:17:15.000000000 +0200 @@ -2,3 +2,4 @@ zalloc_integer_overflow.patch no-git-version.patch do-not-use-path-max.patch +overflow.patch Regards, Stephen -- System Information: Debian Release: 10.0 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
