[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1055588: marked as done (bookworm-pu: package jdupes/1.21.3-1+deb12u1)

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1055588,
regarding bookworm-pu: package jdupes/1.21.3-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1055588: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055588
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jdupes@packages.debian.org
Control: affects -1 + src:jdupes

[ Reason ]
jdupes is a fork from fdupes. A bug was introduced by the initial fork some
years ago. The current fdupes on Debian is already fixed. A warning about this
bug was sent by the jdupes upstream (Jody Bruchon) for me via email message.

The help option for jdupes says:
  -d --delete: prompt user for files to preserve and delete all
               others; [...]

Using the command 'jdupes -d .', a prompt will appear:

  Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink all):

It is a mistake to set 2-4 because the jdupes considers one file only. Setting
'2-4', the file 2 will be kept and the files 3 and 4 will be deleted. The
sentence 'keep which files? (1 - 5' induces the users to use a range and it is
not valid. Currently, jdupes is not denying this behaviour and it is generating
a data loss.

[ Impact ]
If the update isn't approved, the users can be induced to select a range of
files and it will cause a possible data loss.

[ Tests ]
Some manual tests have been done over jdupes with a patch created by the
upstream. I also tested fdupes to verify if it would be necessary to open a bug
against this package. The current fdupes has no issues.

[ Risks ]
There are no risks, because the patch to fix the issue is trivial, making a
check for data inputs and generating better messages for the users.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
A patch, created by the upstream, will improve the messages to be shown to
users and will add checks for inputs.

[ Other info ]
No more info.

diff -Nru jdupes-1.21.3/debian/changelog jdupes-1.21.3/debian/changelog
--- jdupes-1.21.3/debian/changelog	2023-02-20 06:51:57.000000000 -0300
+++ jdupes-1.21.3/debian/changelog	2023-11-08 11:24:57.000000000 -0300
@@ -1,3 +1,12 @@
+jdupes (1.21.3-1+deb12u1) bookworm; urgency=medium
+
+  * debian/patches/010_fix-data-loss.patch: created to avoid a potential data
+    loss caused by a wrong message that induces the users to use a range of
+    values with -d option. Currently, the -d option doesn't understand ranges.
+    (Closes: #1054237)
+
+ -- Joao Eriberto Mota Filho <eriberto@debian.org>  Wed, 08 Nov 2023 11:24:57 -0300
+
 jdupes (1.21.3-1) unstable; urgency=medium
 
   * New upstream version 1.21.3.
diff -Nru jdupes-1.21.3/debian/patches/010_fix-data-loss.patch jdupes-1.21.3/debian/patches/010_fix-data-loss.patch
--- jdupes-1.21.3/debian/patches/010_fix-data-loss.patch	1969-12-31 21:00:00.000000000 -0300
+++ jdupes-1.21.3/debian/patches/010_fix-data-loss.patch	2023-11-08 11:24:57.000000000 -0300
@@ -0,0 +1,78 @@
+Description: fix potential data loss
+             The help option for jdupes says:
+               -d --delete: prompt user for files to preserve and delete all
+                            others; [...]
+             .
+             Using the command 'jdupes -d .', a prompt will appear:
+               Set 1 of 1: keep which files? (1 - 5, [a]ll, [n]one, [l]ink all, [s]ymlink all):
+             It is a mistake to set 2-4 because the jdupes considers one file
+             only. Setting '2-4', the file 2 will be kept and the files 3 and 4
+             will be deleted. The sentence 'keep which files? (1 - 5' induces
+             the users to use a range and it is not valid. Currently, jdupes is
+             not denying this behaviour and it is generating a data loss.
+             .
+             This patch fixes this issue.
+Author: Jody Bruchon <jody@jodybruchon.com>
+Origin: https://codeberg.org/jbruchon/jdupes/commit/4888e85
+Bug-Debian: https://bugs.debian.org/1054237
+Last-Update: 2023-10-19
+Index: jdupes/act_deletefiles.c
+===================================================================
+--- jdupes.orig/act_deletefiles.c
++++ jdupes/act_deletefiles.c
+@@ -101,8 +101,8 @@ void deletefiles(file_t *files, int prom
+         for (x = 2; x <= counter; x++) preserve[x] = 0;
+       } else do {
+         /* Prompt for files to preserve */
+-        printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one",
+-          curgroup, groups, counter);
++        printf("Specify multiple files with commas like this: 1,2,4,6\n");
++        printf("Set %u of %u: keep which files? (1 - %u, [a]ll, [n]one", curgroup, groups, counter);
+ #ifndef NO_HARDLINKS
+        printf(", [l]ink all");
+ #endif
+@@ -139,6 +139,33 @@ void deletefiles(file_t *files, int prom
+ 
+         for (x = 1; x <= counter; x++) preserve[x] = 0;
+ 
++	/* Catch attempts to use invalid characters and block them */
++        for (char *pscheck = preservestr; *pscheck != '\0'; pscheck++) {
++          switch (*pscheck) {
++            case ',':
++            case ' ':
++            case 'a':
++            case 'A':
++            case 's':
++            case 'S':
++            case 'l':
++            case 'L':
++            case 'n':
++            case 'N':
++            case '\n':
++            case '\0':
++              continue;
++	    default:
++	      break;
++	  }
++          if (*pscheck >= '0' && *pscheck <= '9') continue;
++          if (*pscheck == '-') {
++            fprintf(stderr, "error: number ranges are not yet supported; taking no action\n");
++	    goto skip_deletion;
++	  }
++          fprintf(stderr, "error: invalid character '%c' in preserve answer; taking no action\n", *pscheck);
++	  goto skip_deletion;
++        }
+         token = strtok(preservestr, " ,\n");
+         if (token != NULL) {
+ #if defined NO_HARDLINKS && defined NO_SYMLINKS
+@@ -172,6 +199,10 @@ void deletefiles(file_t *files, int prom
+           number = 0;
+           sscanf(token, "%u", &number);
+           if (number > 0 && number <= counter) preserve[number] = 1;
++          else {
++            fprintf(stderr, "invalid number '%u' in preserve answer; taking no action\n", number);
++            goto skip_deletion;
++	  }
+ 
+           token = strtok(NULL, " ,\n");
+         }
diff -Nru jdupes-1.21.3/debian/patches/series jdupes-1.21.3/debian/patches/series
--- jdupes-1.21.3/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ jdupes-1.21.3/debian/patches/series	2023-11-08 11:24:57.000000000 -0300
@@ -0,0 +1 @@
+010_fix-data-loss.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: