[Debian-med-packaging] Bug#991841: unblock: perm/0.4.0-6

Nilesh Patra nilesh at debian.org
Tue Aug 3 06:49:46 BST 2021 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: nilesh at debian.org, debian-med-packaging at lists.alioth.debian.org

Please unblock package perm

[ Reason ]
An autopkgtest was recently added to perm on its git repository, which
resulted in uncovering a buffer overflow. Here's the log:

https://salsa.debian.org/med-team/perm/-/jobs/1788156

AIUI, this is a security issue and such issues are RC

[ Impact ]
The users machine will contain a version of perm which can potentially
cause a buffer overflow

[ Tests ]
Autopkgtests have been added for this release

[ Risks ]
Perm is a leaf package, I do not see any risks

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Some stuff like installing docs in d/docs, or installing autopkgtests in
d/examples might look redundant, but they are needed to run tests in a
sane fashion. These changes are not too major, and are rather harmless.

unblock perm/0.4.0-6
-------------- next part --------------
diff -Nru perm-0.4.0/debian/changelog perm-0.4.0/debian/changelog
--- perm-0.4.0/debian/changelog	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/changelog	2021-08-03 00:31:10.000000000 +0530
@@ -1,3 +1,24 @@
+perm (0.4.0-6) unstable; urgency=medium
+
+  * Team Upload.
+  [ Shruti Sridhar ]
+  * d/tests/data: Add testdata
+  * d/tests: Add autopkgtest
+  * d/example: Install test data as example
+  * d/docs: Install d/README.* and d/tests/run-unit-test
+    as documents
+  * d/p/hardening.patch: Add CPPFLAGS which helped detect
+    buffer overflow
+  * d/copyright: Test data has been written by Shruti, mentioning
+    them in copyright for the same
+
+  [ Nilesh Patra ]
+  * d/p/fix-buffer-overflow.patch: Use strlcpy from libbsd-dev
+    instead of strncpy in order to fix buffer overflow
+  * d/control: Add B-D on libbsd-dev
+
+ -- Nilesh Patra <nilesh at debian.org>  Tue, 03 Aug 2021 00:31:10 +0530
+
 perm (0.4.0-5) unstable; urgency=medium
 
   * Standards-Version: 4.5.1 (routine-update)
diff -Nru perm-0.4.0/debian/control perm-0.4.0/debian/control
--- perm-0.4.0/debian/control	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/control	2021-08-02 21:22:22.000000000 +0530
@@ -3,7 +3,7 @@
 Uploaders: Andreas Tille <tille at debian.org>
 Section: science
 Priority: optional
-Build-Depends: debhelper-compat (= 13)
+Build-Depends: debhelper-compat (= 13), libbsd-dev
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/med-team/perm
 Vcs-Git: https://salsa.debian.org/med-team/perm.git
diff -Nru perm-0.4.0/debian/copyright perm-0.4.0/debian/copyright
--- perm-0.4.0/debian/copyright	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/copyright	2021-08-03 00:31:10.000000000 +0530
@@ -12,6 +12,10 @@
                2014-2017 Andreas Tille <tille at debian.org>
 License: Apache-2.0
 
+Files: debian/tests/data/*
+Copyright: Shruti Sridhar <shruti.sridhar99 at gmail.com>
+License: Apache-2.0
+
 License: Apache-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
diff -Nru perm-0.4.0/debian/docs perm-0.4.0/debian/docs
--- perm-0.4.0/debian/docs	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/docs	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+debian/README*
+debian/tests/run-unit-test
\ No newline at end of file
diff -Nru perm-0.4.0/debian/examples perm-0.4.0/debian/examples
--- perm-0.4.0/debian/examples	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/examples	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1 @@
+debian/tests/data/*
\ No newline at end of file
diff -Nru perm-0.4.0/debian/patches/fix-buffer-overflow.patch perm-0.4.0/debian/patches/fix-buffer-overflow.patch
--- perm-0.4.0/debian/patches/fix-buffer-overflow.patch	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/patches/fix-buffer-overflow.patch	2021-08-03 00:30:42.000000000 +0530
@@ -0,0 +1,42 @@
+Description: Use strlcpy from libbsd-dev instead of strncpy in order to avoid buffer overflow
+Author: Nilesh Patra <nilesh at debian.org>
+Last-Update: 2021-08-03
+--- a/makefile
++++ b/makefile
+@@ -2,7 +2,7 @@
+ CC = g++ -O2 $(CFLAGS)
+ 
+ TARGETS = perm
+-LIBS = -lm -lstdc++ 
++LIBS = -lm -lstdc++ -lbsd 
+  
+ PER_M = AlignmentsQ.cpp Filename.cpp GenomeNTdata.cpp ReadInBits.cpp PerM.cpp chromosomeNTdata.cpp\
+ bitsOperationUtil.cpp FileOutputBuffer.cpp HashIndexT.cpp ReadInBitsSet.cpp SeedPattern.cpp\
+--- a/stdafx.h
++++ b/stdafx.h
+@@ -12,6 +12,7 @@
+ #include <stdio.h>
+ #include "time.h"
+ #include "Filename.h"
++#include <bsd/string.h>
+ //#ifdef WIN32
+ #include "chdir.h"
+ //#else
+@@ -174,14 +175,14 @@
+     return(true);
+ }
+ 
+-inline char* myStrCpy(char* caBuf, const char* str, int iBufSize)
++inline int myStrCpy(char* caBuf, const char* str, int iBufSize)
+ {
+     if (caBuf == NULL) {
+         ERR;
+-        return(NULL);
++        return(-1);
+     }
+     int iBufSizeMinus1 = iBufSize - 1;
+-    char* returnV = strncpy(caBuf, str, iBufSizeMinus1);
++    int returnV = strlcpy(caBuf, str, iBufSizeMinus1);
+     if (iBufSizeMinus1 >= 0) {
+         caBuf[iBufSizeMinus1] = '\0';
+     } else {
diff -Nru perm-0.4.0/debian/patches/hardening.patch perm-0.4.0/debian/patches/hardening.patch
--- perm-0.4.0/debian/patches/hardening.patch	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/hardening.patch	2021-08-02 17:25:32.000000000 +0530
@@ -2,14 +2,14 @@
 Last-Update: Fri, 25 Apr 2014 18:39:38 +0200
 Description: Propagate hardening options
 
---- Source.orig/makefile
-+++ Source/makefile
-@@ -24,7 +24,7 @@
+--- a/makefile
++++ b/makefile
+@@ -24,7 +24,7 @@ install:	all
  
  perm:	$(PER_M)
  	make clean
 -	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS)
-+	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS)
++	$(CC) -o $@ $(CFLAGS) $(LIB_PATH) $(PER_M) $(LIBS) $(LDFLAGS) $(CPPFLAGS)
  	#$(CC) -o $@ $(LIB_PATH) *.o $(LIBS)
  
  tar:	clean
diff -Nru perm-0.4.0/debian/patches/series perm-0.4.0/debian/patches/series
--- perm-0.4.0/debian/patches/series	2020-11-24 14:40:20.000000000 +0530
+++ perm-0.4.0/debian/patches/series	2021-08-02 21:46:09.000000000 +0530
@@ -2,3 +2,4 @@
 hardening.patch
 spelling.patch
 gcc7.patch
+fix-buffer-overflow.patch
diff -Nru perm-0.4.0/debian/README.test perm-0.4.0/debian/README.test
--- perm-0.4.0/debian/README.test	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/README.test	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,14 @@
+Notes on how this package can be tested.
+????????????????????????????????????????
+
+This package can be tested by running the provided test:
+
+    sh run-unit-test
+
+in order to confirm its integrity.
+
+Notes on the files used for testing 
+????????????????????????????????????????
+Files: debian/tests/data/*
+
+The Ref.fasta and Reads.fasta file were written for testing this package. 
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/control perm-0.4.0/debian/tests/control
--- perm-0.4.0/debian/tests/control	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/control	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,3 @@
+Tests: run-unit-test
+Depends: @
+Restrictions: allow-stderr
diff -Nru perm-0.4.0/debian/tests/data/Reads.fasta perm-0.4.0/debian/tests/data/Reads.fasta
--- perm-0.4.0/debian/tests/data/Reads.fasta	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Reads.fasta	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>reads
+ATGCGCATCGACATGACATACGACATCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/data/Ref.fasta perm-0.4.0/debian/tests/data/Ref.fasta
--- perm-0.4.0/debian/tests/data/Ref.fasta	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/data/Ref.fasta	2021-08-02 17:25:32.000000000 +0530
@@ -0,0 +1,2 @@
+>ref
+ATGCTAGCATACGACTACAGCATACAGCATCAGACTACGACATCAGACTACAGCATACAGCAATACGACTACAGCATACGACTACAGCATCAGATGCTACGCAGACTACGACATCAGACTACAGCATACGACATCAGACTACTACAGACACAGACACGACGACGACGACTACGACACGACGACTACATCAGACGACGACAGCAGCAGCGACAGCAGACGACATACGACAGCATACGACGACAGACATCAGACGACGACGACGACGACGACGACGACCAGACGCATCAGCAGACACGACGAAAAAAAGGAGCATCAGCA
\ No newline at end of file
diff -Nru perm-0.4.0/debian/tests/run-unit-test perm-0.4.0/debian/tests/run-unit-test
--- perm-0.4.0/debian/tests/run-unit-test	1970-01-01 05:30:00.000000000 +0530
+++ perm-0.4.0/debian/tests/run-unit-test	2021-08-03 00:31:10.000000000 +0530
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+pkg=perm
+
+export LC_ALL=C.UTF-8
+if [ "${AUTOPKGTEST_TMP}" = "" ] ; then
+  AUTOPKGTEST_TMP=$(mktemp -d /tmp/${pkg}-test.XXXXXX)
+  trap "rm -rf ${AUTOPKGTEST_TMP}" 0 INT QUIT ABRT PIPE TERM
+fi
+
+cp -a /usr/share/doc/${pkg}/examples/* "${AUTOPKGTEST_TMP}"
+
+cd "${AUTOPKGTEST_TMP}"
+
+perm Ref.fasta Reads.fasta -v 100 -A -o out.sam  
+[ -s "out.sam" ] || exit 1
+echo "PASS test"

More information about the Debian-med-packaging mailing list