Debian Bug report logs - #584233
dpkg-source: silently breaks debian/patches/series if it has no trailing newline

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dpkg-source: silently breaks debian/patches/series if it has no trailing newline

Date: Wed, 2 Jun 2010 15:31:22 +0200

[Message part 1 (text/plain, inline)]

Package: dpkg-dev
Version: 1.15.7.2
Severity: minor

Wierd things happen if debian/patches/series doesn't end with a newline 
character:

$ dget http://people.debian.org/~hertzog/packages/debsrc3.0/sample2_1.0-1.dsc
[snip]

$ dpkg-source -x sample2_1.0-1.dsc
dpkg-source: warning: extracting unsigned source package (sample2_1.0-1.dsc)
dpkg-source: info: extracting sample2 in sample2-1.0
dpkg-source: info: unpacking sample2_1.0.orig.tar.bz2
dpkg-source: info: unpacking sample2_1.0-1.debian.tar.bz2
dpkg-source: info: applying change-something
dpkg-source: info: applying debian-changes-1.0-1

$ cd sample2-1.0/

$ quilt pop
Removing patch debian-changes-1.0-1
Restoring upstream/README

$ echo -n change-something > debian/patches/series

$ echo something else > upstream/README

$ dpkg-buildpackage -S -us -uc
dpkg-buildpackage: export CPPFLAGS from dpkg-buildflags (origin: vendor):
dpkg-buildpackage: export CFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export CXXFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export FFLAGS from dpkg-buildflags (origin: vendor): -g -O2
dpkg-buildpackage: export LDFLAGS from dpkg-buildflags (origin: vendor):
dpkg-buildpackage: source package sample2
dpkg-buildpackage: source version 1.0-1
dpkg-buildpackage: source changed by Raphael Hertzog <hertzog@debian.org>
 fakeroot debian/rules clean
dh clean
   dh_testdir
   dh_auto_clean
   dh_clean
 dpkg-source -b sample2-1.0
dpkg-source: info: using source format `3.0 (quilt)'
dpkg-source: info: building sample2 using existing ./sample2_1.0.orig.tar.bz2
dpkg-source: info: local changes stored in sample2-1.0/debian/patches/debian-changes-1.0-1, the modified files are:
 sample2-1.0/upstream/README
dpkg-source: info: building sample2 in sample2_1.0-1.debian.tar.gz
dpkg-source: info: building sample2 in sample2_1.0-1.dsc
 dpkg-genchanges -S >../sample2_1.0-1_source.changes
dpkg-genchanges: including full source code in upload
dpkg-buildpackage: full upload (original source is included)

$ cat debian/patches/series
change-somethingdebian-changes-1.0-1


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dpkg-dev depends on:
ii  base-files        5.6                    Debian base system miscellaneous f
ii  binutils          2.20.51.20100527-1     The GNU assembler, linker and bina
ii  bzip2             1.0.5-4                high-quality block-sorting file co
ii  libdpkg-perl      1.15.7.2               Dpkg perl modules
ii  make              3.81-8                 An utility for Directing compilati
ii  patch             2.6-2                  Apply a diff file to an original
ii  xz-utils          4.999.9beta+20100527-1 XZ-format compression utilities

Versions of packages dpkg-dev recommends:
ii  build-essential               11.5       Informational list of build-essent
ii  fakeroot                      1.14.4-1   Gives a fake root environment
ii  gcc [c-compiler]              4:4.4.4-1  The GNU C compiler
ii  gcc-4.3 [c-compiler]          4.3.5-1    The GNU C compiler
ii  gcc-4.4 [c-compiler]          4.4.4-3    The GNU C compiler
ii  gcc-4.5 [c-compiler]          4.5.0-4    The GNU C compiler
ii  gnupg                         1.4.10-4   GNU privacy guard - a free PGP rep
ii  gpgv                          1.4.10-4   GNU privacy guard - signature veri
pn  libalgorithm-merge-perl       <none>     (no description available)
ii  tcc [c-compiler]              0.9.25-3   the smallest ANSI C compiler

Versions of packages dpkg-dev suggests:
ii  debian-keyring                2010.03.31 GnuPG (and obsolete PGP) keys of D

-- no debconf information

-- 
Jakub Wilk

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 584233-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 584233-submitter@bugs.debian.org

Subject: Bug#584233 marked as pending

Date: Sat, 17 May 2014 12:09:19 +0000

tag 584233 pending
thanks

Hello,

Bug #584233 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=6b153d0

---
commit 6b153d07845ebcc98b195d47d07638b21c43db29
Author: Guillem Jover <guillem@debian.org>
Date:   Sat May 17 03:34:04 2014 +0200

    Dpkg::Source::Package::V3::Quilt: Handle series files with no final newline
    
    Do not mangle the series files when the last line is missing a newline,
    by loading and saving the file with the added patch. This is quite ugly
    in general, but fixes the immediate problem. The code will be getting a
    general overhaul in due time.
    
    Closes: #584233

diff --git a/debian/changelog b/debian/changelog
index dc840d5..0422e21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,8 @@ dpkg (1.17.10) UNRELEASED; urgency=low
     - Add missing Dpkg::Deps::Multiple profile_is_concerned() and
       reduce_profiles() methods, inherited by Dpkg::Deps::Union,
       Dpkg::Deps::AND and Dpkg::Deps::OR.
+  * Do not mangle quilt series files with a missing newline on the last line.
+    Closes: #584233
 
   [ Updated manpages translations ]
   * German (Helge Kreutzmann).

Message #15 received at 584233-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 584233-close@bugs.debian.org

Subject: Bug#584233: fixed in dpkg 1.17.10

Date: Thu, 05 Jun 2014 19:48:41 +0000

Source: dpkg
Source-Version: 1.17.10

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 584233@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Jun 2014 20:18:04 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.17.10
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 584233 731530 734452 746122 746498 746973 747148 747370 748012 748544 749044 749183 750105
Changes: 
 dpkg (1.17.10) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * Use libtool to build the static libraries, which makes it possible to
     embed libcompat inside libdpkg, as required by some external programs
     linking against the latter. Closes: #746122
   * Fix word wrapping logic in dselect. Regression introduced in dpkg 1.17.3.
   * Fix possible out of bounds buffer read access in the error output on
     bogus ar member sizes.
   * Fix memory leaks in buffer_copy() on error conditions.
   * Test suite:
     - Improve C code coverage.
     - Add template test cases for most perl modules.
     - Add test cases for Dpkg::Deps OR relationships.
     - Add minimal test case for Dpkg::Source::Quilt.
     - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
     - Add test case for patch disabling hunks; not security sensitive.
   * Fix non-security sensitive TOCTOU race in triggers database loading.
   * Fix non-security sensitive TOCTOU race in update-alternative alternative
     database loading.
   * Fix non-security sensitive TOCTOU race in update-alternative rename code.
   * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
     prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
     Closes: #731530
   * Move dpkg-architecture -L argument to the Commands --help output section.
   * Make dpkg-maintscript-helper print only once that we are moving a
     conffile, and not on every interim state transition. Closes: #747370
   * Do not use global match variables in perl code.
   * Man pages:
     - Attempt to clarify and improve wording of some strange or confused
       constructs. Reported by Helge Kreutzmann.
     - Expand Vcs-* field names into each supported field name in
       deb-src-control(5) to make it easier to search for them.
     - Change control.tar.gz reference to simply control.tar in deb(5).
     - Document in dpkg-deb(1) -Z option that bzip2 and lzma are deprecated.
     - Add notes in dpkg-gensymbols(1) about symbol backward-compatibility.
       Based on a patch by Bernhard R. Link <brlink@debian.org>.
       Closes: #746973
     - Document that dpkg-buildpackage(1) -j argument is optional.
     - Add current and deprecated media types to deb(5).
     - Document in dpkg(1) that --audit now does more than just searching for
       partially installed packages.
   * Add support for automatic parallel job selection in dpkg-buildpackage,
     matching currently active processors, when using -jauto. Closes: #748012
   * Perl modules:
     - Bump $VERSION for Dpkg::Patch, missed in 1.16.1.
     - Bump $VERSION for Dpkg::Deps, missed in 1.17.0.
     - Update and fix CHANGES POD sections for public modules.
     - Add missing Dpkg::Deps::Multiple profile_is_concerned() and
       reduce_profiles() methods, inherited by Dpkg::Deps::Union,
       Dpkg::Deps::AND and Dpkg::Deps::OR.
   * Do not mangle quilt series files with a missing newline on the last line.
     Closes: #584233
   * Quiesce tar warnings in cron job by redirecting stderr to /dev/null, as
     it seems --warning=none does not work correctly. Closes: #748544
   * Do not emit a trailing space from Dpkg::Control::Hash on a field's empty
     first line. Bump dpkg-dev Breaks on devscripts to 2.14.4, as previous
     versions expect a trailing space from dpkg-parsechangelog output.
     Based on a patch by Johannes Schauer <j.schauer@email.de>. Closes: #749044
   * Do not assume that sensible-editor is present on «dpkg-source --commit»,
     as that command is very Debian specific. Fallback to try VISUAL, EDITOR,
     or vi, if the previous commands are either unset or not found.
   * Use badusage() instead of ohshit() on dpkg --ignore-depends argument
     parsing errors.
   * Add per package dpkg --audit support.
   * Add support for DragonFlyBSD to ostable and triplettable.
     Thanks to Hleb Valoshka <375gnu@gmail.com>.
   * Add support for DragonFlyBSD to start-stop-daemon. Closes: #734452
     Based on a patch by Hleb Valoshka <375gnu@gmail.com>.
   * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
     traversal attempts from hostile source packages when unpacking them.
     Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
     directory traversal; meanwhile also independently found by me both
     #749183 and what was supposed to be #746498, which was later on published
     and ended up being just a subset of the other non-reported issue.
     Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
 .
   [ Updated programs translations ]
   * Catalan (Guillem Jover).
   * Italian (Milo Casagrande). Closes: #750105
 .
   [ Updated scripts translations ]
   * German (Helge Kreutzmann).
 .
   [ Updated manpages translations ]
   * German (Helge Kreutzmann).
 .
   [ Raphaël Hertzog ]
   * Let dpkg-source unpack additional tarballs in a deterministic order.
     Thanks to Samuel Bronson for the report. Closes: #747148
Checksums-Sha1: 
 c91e1e1bb0dc5918f20e3874c4b371425dac0da3 2055 dpkg_1.17.10.dsc
 2d88ef04db662d046fadb005bb31667fc0ba64de 4198340 dpkg_1.17.10.tar.xz
 be325d2d7fac12f031e537b5ed269724542f118c 799530 libdpkg-dev_1.17.10_amd64.deb
 ab90f4afdca78f0a5b8cf359b6c1c31c8c3f9e66 2704088 dpkg_1.17.10_amd64.deb
 6e9d00f6e0e8155085c619090292a548373842c5 1059422 dselect_1.17.10_amd64.deb
 8c56a5720faf36231f2ce88c271d34941bb4d61b 1425374 dpkg-dev_1.17.10_all.deb
 6bbd6bddfe2a6af99cfbf547e5de9abbb48d7a81 974696 libdpkg-perl_1.17.10_all.deb
Checksums-Sha256: 
 8552763122f36a4ede1e040dee28a84202de9f4b65dbcc90e2c068101d2a599d 2055 dpkg_1.17.10.dsc
 a3a6d4da2b99484c04b2aa8af83d59d87a988baea627d276308467b22310b4d9 4198340 dpkg_1.17.10.tar.xz
 a6b8ed0b95af7748ee3daf9e297c94bb0ab166d7908bbc46e2f5ef5ab93c08b1 799530 libdpkg-dev_1.17.10_amd64.deb
 81a2e6111e825e8a01caa8bf2c8876d806fe9e7297deea0eb61e5a9d93c9a82c 2704088 dpkg_1.17.10_amd64.deb
 1a8a3924786f18c9e0432b8cb34c8c99576dd96221fab9cda2a0f3b5b7606d51 1059422 dselect_1.17.10_amd64.deb
 ba58996d596f73a312b9d92bf01f40f2eeac1ba6db4011875bfbd685371c9619 1425374 dpkg-dev_1.17.10_all.deb
 702028918cfda7e1eaf7391717818b2e6dd05b00b02e4091ea084791e8308234 974696 libdpkg-perl_1.17.10_all.deb
Files: 
 7c8852829f4caa99b6c3a232915ac28c 799530 libdevel optional libdpkg-dev_1.17.10_amd64.deb
 90ba5aa300a72a9a54eeda5990b2641f 2704088 admin required dpkg_1.17.10_amd64.deb
 b6f581a13931bfedde3719dc4340b476 1059422 admin optional dselect_1.17.10_amd64.deb
 405cccbb6024ecb98fa6fc8939365cbc 1425374 utils optional dpkg-dev_1.17.10_all.deb
 be5fa2aa735a59ec34d1e4c889c6b7d4 974696 perl optional libdpkg-perl_1.17.10_all.deb
 274a6b2892d179ed04ad916dd2103676 2055 admin required dpkg_1.17.10.dsc
 545f3cbac8b5f0b3d888574f3f79936c 4198340 admin required dpkg_1.17.10.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJTkMS1AAoJELlyvz6krlejNxcP+wT/0vQECEQh1CI3DIS9aPYE
FfvmpoHioGn8dE8Su318SeZy+IADIis9IeE6GytqwMGIIekh6tC4ES574GRuLiRc
Edy4IrAlLnrGfM5VbAh5f1F9vmgZkBy2Z8R/oRjnQthgy5SUbGe1Bx9jqbh2sR4k
94EsdCuAxTiDI9+O15prM2u3Vxe7TD4Z7n9kjD3Tj35THVp6okpj1qGbTQ9bQJ04
nIcaWtZf6NXxyTNvXJ9Ac8Cdv47q1/CB4yXNQf47v0U6Rjorvh3EHkWyEtVpP1Ps
JVprxVwuxb9ayYn5j2MeBcMWS3igyowsh9a23+lZCwz0SALChZMHeYV74TB1/b8p
Gc53g6jSjI6bKK5xy5hst7tcG/ALmY0HE+jpkgVK/EJPwGKYq1julwgjd6kmrHA+
MBGs3p5ZTbR2PmzLYAmyzD2Ctabz7dFHZpMJ0c3pPsrGLUYD89gSZqp2k4zmrPIp
EEkhJNCsUFJbnG0ZpEw5aYCCHgPcKWazvsGh/DgYYytrWatJkmzgZi4I8KW+jEYG
85volBskw5V6aqJWJ9Sum/W2A11iR3El46YKqfqqSI83D2ucLWE5eXaMF3o5x+LP
AJ/XshrbiouHSu4GKiH/N7WGbD9OSYpnU/fdNbtiw+GNUC5KfsztDFWUWmiX4JP1
XzNrK95rGu/atNhtRghC
=d8BF
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.