GNU bug report logs - #69007
diffoscope: Update to 256. [security fixes]

Previous Next

Package: guix-patches;

Reported by: Vagrant Cascadian <vagrant <at> reproducible-builds.org>

Date: Fri, 9 Feb 2024 21:28:01 UTC

Severity: normal

Done: Vagrant Cascadian <vagrant <at> reproducible-builds.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 69007 in the body.
You can then email your comments to 69007 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#69007; Package guix-patches. (Fri, 09 Feb 2024 21:28:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Vagrant Cascadian <vagrant <at> reproducible-builds.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 09 Feb 2024 21:28:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
To: guix-patches <at> gnu.org
Subject: diffoscope: Update to 256. [security fixes]
Date: Fri, 09 Feb 2024 13:27:02 -0800

[Message part 1 (text/plain, inline)]
The attached patch updates diffoscope to 256, which contains a security
fix for directory traversals when using gpg.

Both diffoscope and it's dependent, reprotest, still build fine!

I am not sure what the expedited process for security updates are, but
if there is anything I can do, please let me know!

live well,
  vagrant

[0001-gnu-diffoscope-Update-to-256.-security-fixes.patch (text/x-diff, inline)]
From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant <at> debian.org>
Date: Fri, 9 Feb 2024 12:58:57 -0800
Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes]

Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361

* gnu/packages/diffoscope.scm (diffoscope): Update to 256.
---
 gnu/packages/diffoscope.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm
index 626ac00425..f4d271f690 100644
--- a/gnu/packages/diffoscope.scm
+++ b/gnu/packages/diffoscope.scm
@@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope)
 (define-public diffoscope
   (package
     (name "diffoscope")
-    (version "255")
+    (version "256")
     (source
      (origin
        (method git-fetch)
@@ -83,7 +83,7 @@ (define-public diffoscope
              (commit version)))
        (file-name (git-file-name name version))
        (sha256
-        (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))))
+        (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))))
     (build-system python-build-system)
     (arguments
      (list

base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca
-- 
2.39.2


[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#69007; Package guix-patches. (Fri, 09 Feb 2024 21:42:02 GMT) Full text and rfc822 format available.

Message #8 received at 69007 <at> debbugs.gnu.org (full text, mbox):

From: John Kehayias <john.kehayias <at> protonmail.com>
To: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
Cc: 69007 <at> debbugs.gnu.org
Subject: Re: bug#69007: diffoscope: Update to 256. [security fixes]
Date: Fri, 09 Feb 2024 21:41:27 +0000

Hi vagrant!

On Fri, Feb 09, 2024 at 01:27 PM, Vagrant Cascadian wrote:

> The attached patch updates diffoscope to 256, which contains a security
> fix for directory traversals when using gpg.
>
> Both diffoscope and it's dependent, reprotest, still build fine!
>

Great, thank you! (following up here for posterity; discussed via IRC)

> I am not sure what the expedited process for security updates are, but
> if there is anything I can do, please let me know!
>

As we discussed, we should formalize some CC-ing of the security list,
or a separate security team for reviewing patches (for public flaws,
rather than reporting them). And making sure "[security fixes]" is
noted, as you did here, for easy sorting.

> live well,
>   vagrant
>
> From 9dcababcf0e94ddab30de91054e04400b263879c Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant <at> debian.org>
> Date: Fri, 9 Feb 2024 12:58:57 -0800
> Subject: [PATCH] gnu: diffoscope: Update to 256. [security fixes]
>

In any event, patch looks good and as a leaf with a pretty trivial
patch, I think you would be clear to push directly to begin with. There
was some discussion a while back at what is "trivial," but a version
update with 1 dependent is about as easy as it gets. Perhaps another
thing to make sure we are on the same page about but I doubt anyone
would complain if you had pushed this directly.

We could also let QA build, since it is back up, but again, very minor
concern here if something were to break.

Anyway, please do push! I might put "[security fixes]" before the period
in the commit message to match previous ones, but that is very minor.

Thanks again!
John

> Fixes: https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/361
>
> * gnu/packages/diffoscope.scm (diffoscope): Update to 256.
> ---
>  gnu/packages/diffoscope.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/diffoscope.scm b/gnu/packages/diffoscope.scm
> index 626ac00425..f4d271f690 100644
> --- a/gnu/packages/diffoscope.scm
> +++ b/gnu/packages/diffoscope.scm
> @@ -74,7 +74,7 @@ (define-module (gnu packages diffoscope)
>  (define-public diffoscope
>    (package
>      (name "diffoscope")
> -    (version "255")
> +    (version "256")
>      (source
>       (origin
>         (method git-fetch)
> @@ -83,7 +83,7 @@ (define-public diffoscope
>               (commit version)))
>         (file-name (git-file-name name version))
>         (sha256
> -        (base32 "07mkmwp3ni2dh5w5q2vxkc588l5dabcly3jrd8ic62318si7d400"))))
> +        (base32 "1sdg314a3hp2kv492130p8w7j8mlhymij7h2rndm4q7gqrshp6jf"))))
>      (build-system python-build-system)
>      (arguments
>       (list
>
> base-commit: 513755d64debb44096f21e323a5b89a7a597d2ca
Reply sent to Vagrant Cascadian <vagrant <at> reproducible-builds.org>:
You have taken responsibility. (Fri, 09 Feb 2024 22:20:01 GMT) Full text and rfc822 format available.
Notification sent to Vagrant Cascadian <vagrant <at> reproducible-builds.org>:
bug acknowledged by developer. (Fri, 09 Feb 2024 22:20:02 GMT) Full text and rfc822 format available.

Message #13 received at 69007-done <at> debbugs.gnu.org (full text, mbox):

From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
To: 69007-done <at> debbugs.gnu.org
Subject: Re: diffoscope: Update to 256. [security fixes]
Date: Fri, 09 Feb 2024 14:18:52 -0800

[Message part 1 (text/plain, inline)]
On 2024-02-09, Vagrant Cascadian wrote:
> The attached patch updates diffoscope to 256, which contains a security
> fix for directory traversals when using gpg.
>
> Both diffoscope and it's dependent, reprotest, still build fine!

Pushed as 30196aec07dab8cc0f4a614b160f1857377a6a84.

live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 09 Mar 2024 12:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 105 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.