debian/0000775000000000000000000000000012721052751007172 5ustar debian/control0000664000000000000000000000146612711341220010573 0ustar Source: tardiff Section: utils Priority: optional Maintainer: Axel Beckert Build-Depends: debhelper (>= 9~) Standards-Version: 3.9.4 Homepage: http://tardiff.coolprojects.org/ Vcs-Git: git://anonscm.debian.org/collab-maint/tardiff.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/tardiff.git Package: tardiff Architecture: all Depends: libtext-diff-perl, ${misc:Depends}, ${perl:Depends} Description: Tarball comparison tool TarDiff compares the contents of two tarballs and reports on any differences found between them. Its use is mainly for release managers who can use it as a QA tool to make sure no files have accidently been left over or were added by mistake. TarDiff supports compressed tarballs, diff statistics and suppression of GNU autotool changes. debian/changelog0000664000000000000000000000377212721052751011055 0ustar tardiff (0.1-2+deb8u2build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Marc Deslauriers Tue, 24 May 2016 09:23:53 -0400 tardiff (0.1-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Add fix for shell command injection via tar filename itself. This fix is as well part of the CVE-2015-0857 assignment but was previously missed. -- Salvatore Bonaccorso Sun, 01 May 2016 10:46:40 +0200 tardiff (0.1-2+deb8u1) jessie-security; urgency=high * Add patch to fix miscalculated statistics. (Closes: #802098) * Add patches to fix two security issues: + CVE-2015-0857: shell command injection through file names + CVE-2015-0858: /tmp race condition in handling temporary directory Issues found and reported by Rainer Müller and Florian Weimer. Additional necessary changes: + Add new run-time dependency on libtext-diff-perl. -- Axel Beckert Tue, 20 Oct 2015 01:02:12 +0200 tardiff (0.1-2) unstable; urgency=low * Patch -a vs -s mixup. (Due to a typo, the short option -a is not queried while the short option -s works as if would have been -a. The according long options worked as advertised.) * Bump debhelper compatibility to 9 + Update versioned debhelper build-dependency + Remove manual clean up of *-stamp files * Revamp debian/rules: + Move dh_installman parameter to debian/manpages + Switch to a dh7 style debian/rules file * Remove recommends on essential package * Bump Standards-Version to 3.9.4 (no changes) * Fix lintian warning vcs-field-not-canonical * Remove stray debian/debian/patches/series * Apply wrap-and-sort -- Axel Beckert Mon, 03 Jun 2013 12:57:19 +0200 tardiff (0.1-1) unstable; urgency=low * Initial release (Closes: #650668) * Add patch to fix comparison of tar balls with the same base directory. -- Axel Beckert Mon, 07 May 2012 01:02:25 +0200 debian/tardiff.10000664000000000000000000000312312711341220010661 0ustar .TH TARDIFF "1" "December 2011" "TarDiff 0.1" "User Commands" .SH NAME TarDiff \- Compare two tarballs and report differences .SH DESCRIPTION TarDiff compares the contents of two tarballs and reports on any differences found between them. Its use is mainly for release managers who can use it as a QA tool to make sure no files have accidently been left over or were added by mistake. TarDiff supports compressed tarballs, diff statistics and suppression of GNU autotool changes. .SH SYNOPSIS tardiff \fI[options]\fR \fBfile1.tar\fR \fBfile2.tar\fR\fI[.gz/.bz2]\fR .SH OPTIONS .PD 0 \fB\-m\fP, \fB\-\-modified\fP Report on all changed files, including those present in both tarballs .TP \fB\-l\fP, \fB\-\-list\fP List all files, even those not changed at all .TP \fB\-a\fP, \fB\-\-autoskip\fP Skip files which belong to the GNU autotools (for \fB\-\-modified\fP) .TP \fB\-s\fP, \fB\-\-stats\fP Run statistics (diffstat) on all modified files (for \fB\-\-modified\fP) .PP \fB\-v\fP, \fB\-\-version\fP Display tardiff version .TP \fB\-h\fP, \fB\-\-help\fP Display this help screen .PD .SH "SEE ALSO" \fItar\fR(1), \fItardy\fR(1) .SH "AUTHOR" TarDiff was written by Josef Spillner <\fIjosef@coolprojects.org\fR>. This man page was written by Axel Beckert <\fIabe@debian.org\fR> based on help2man(1) output for the Debian Project, but may be used by others. .SH "COPYRIGHT" Copyright (C) 2005 Josef Spillner <\fIjosef@coolprojects.org\fR> .PP This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. debian/source/0000775000000000000000000000000012711341220010461 5ustar debian/source/format0000664000000000000000000000001412711341220011667 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212711341220010357 0ustar 9 debian/patches/0000775000000000000000000000000012711341220010610 5ustar debian/patches/CVE-2015-0857.diff0000664000000000000000000000235512711341220013052 0ustar Description: Fix local code execution when calling diff (CVE-2015-0857) Reported by Rainer Müller . Implemented using Text::Diff instead of diff and backticks. Author: Axel Beckert Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857 Index: tardiff/tardiff =================================================================== --- tardiff.orig/tardiff 2016-04-28 19:19:02.194646937 +0200 +++ tardiff/tardiff 2016-04-28 19:36:41.253948109 +0200 @@ -6,6 +6,7 @@ # Published under GNU GPL conditions use strict; +use Text::Diff; my $VERSION = '0.1'; @@ -73,7 +74,12 @@ $flag = "-j"; } - my $list = `tar -C $tempdir $flag -xvf $tarball 2>/dev/null`; + open(TARLIST, '-|', qw(tar -C), $tempdir, $flag, qw(-xvf), $tarball) + or die "Can't call tar as expected: $!"; + local $/ = undef; # slurp mode + my $list = or die "Couldn't read from tar"; + close(TARLIST) or warn "tar exited with non-zero exit code"; + return $list; } @@ -116,7 +122,7 @@ if(-d $file1 and -d $file2){ return 0; }elsif(-f $file1 and -f $file2){ - my $diff = `diff $file1 $file2`; + my $diff = diff $file1, $file2, { STYLE => "OldStyle" }; if($diff){ if($opt_stats){ my $plus = 0; debian/patches/series0000664000000000000000000000015612711341220012027 0ustar fix-unique-uniquebase.diff fix-dash-a-vs-dash-s.diff fix-statistic.diff CVE-2015-0857.diff CVE-2015-0858.diff debian/patches/fix-unique-uniquebase.diff0000664000000000000000000000314112711341220015672 0ustar Patch to allow to compare to tar balls with the same base directory. Also fixes an issue with listing a directory as present in the wrong tar ball. Author: Axel Beckert Index: tardiff-0.1/tardiff =================================================================== --- tardiff-0.1.orig/tardiff 2005-05-17 14:52:27.000000000 +0200 +++ tardiff-0.1/tardiff 2011-12-01 21:56:59.000000000 +0100 @@ -80,6 +80,7 @@ sub analyzetar{ my $filelist = shift(@_); my $filehash = shift(@_); + my $tarball = shift(@_); my %files = %{$filehash}; @@ -92,12 +93,12 @@ if(!$uniquebase){ $uniquebase = $base; }else{ - ($base eq $uniquebase) or die "$tarball1 contains different base dirs: $base and $uniquebase"; + ($base eq $uniquebase) or die "$tarball contains different base dirs: $base and $uniquebase"; } if($files{$remainder}){ $files{$remainder} = "__both"; }else{ - $files{$remainder} = "$uniquebase"; + $files{$remainder} = "$tarball"; } } @@ -174,8 +175,8 @@ my %files; - my ($base1, %files) = analyzetar($filelist1, \%files); - my ($base2, %files) = analyzetar($filelist2, \%files); + my ($base1, %files) = analyzetar($filelist1, \%files, $tarball1); + my ($base2, %files) = analyzetar($filelist2, \%files, $tarball2); foreach my $file(sort(keys(%files))){ next if $file eq ""; @@ -196,9 +197,9 @@ if($opt_list and not $modified){ print " $file\n"; } - }elsif($base eq $base1){ + }elsif($base eq $tarball1){ print "- $file\n"; - }elsif($base eq $base2){ + }elsif($base eq $tarball2){ print "+ $file\n"; }else{ print "? $file\n"; debian/patches/CVE-2015-0858.diff0000664000000000000000000000244012711341220013046 0ustar Description: Fix race condition when creating temporary files (CVE-2015-0858) Reported by Florian Weimer . Implemented using File::Temp instead of just using the process ID inside the directory name as suggested by Florian. Author: Axel Beckert Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0858 Index: tardiff/tardiff =================================================================== --- tardiff.orig/tardiff 2015-10-17 15:38:03.629194527 +0200 +++ tardiff/tardiff 2015-10-17 15:41:47.268844335 +0200 @@ -7,12 +7,13 @@ use strict; use Text::Diff; +use File::Temp qw(tempdir); my $VERSION = '0.1'; my ($tarball1, $tarball2); my ($opt_list, $opt_modified, $opt_autoskip, $opt_stats); -my $tempdir; +my $tempdir = tempdir( CLEANUP => 1 ); $SIG{'__DIE__'} = 'cleanup'; $SIG{'TERM'} = 'cleanup'; @@ -168,9 +169,6 @@ sub tardiff{ my $error = 0; - $tempdir = "/tmp/tardiff-$$"; - mkdir $tempdir; - my $filelist1 = untar($tarball1) or die "Error: Could not unpack $tarball1."; my $filelist2 = untar($tarball2) or die "Error: Could not unpack $tarball2."; @@ -211,10 +209,6 @@ sub cleanup{ my $handler = shift(@_); - if($tempdir){ - system("rm -rf $tempdir"); - } - if($handler eq "INT" or $handler eq "TERM"){ exit 1; } debian/patches/fix-dash-a-vs-dash-s.diff0000664000000000000000000000135512711341220015172 0ustar Description: Fixes -a vs -s mixup Due to a typo, the short option -a is not queried while the short option -s works as if would have been -a. The according long options worked as advertised. Author: Axel Beckert Index: tardiff/tardiff =================================================================== --- tardiff.orig/tardiff 2013-06-03 13:45:30.000000000 +0200 +++ tardiff/tardiff 2013-06-03 13:46:08.000000000 +0200 @@ -41,7 +41,7 @@ $opt_modified = 1; }elsif(($arg eq "--list") or ($arg eq "-l")){ $opt_list = 1; - }elsif(($arg eq "--autoskip") or ($arg eq "-s")){ + }elsif(($arg eq "--autoskip") or ($arg eq "-a")){ $opt_autoskip = 1; }elsif(($arg eq "--stats") or ($arg eq "-s")){ $opt_stats = 1; debian/patches/fix-statistic.diff0000664000000000000000000000155112711341220014237 0ustar Description: Fix calculation of statistics (option -s) Using normal instead of unique diff is far easier to parse unambiguously. Author: Axel Beckert Bug-Debian: https://bugs.debian.org/802098 Index: tardiff/tardiff =================================================================== --- tardiff.orig/tardiff 2015-10-17 16:37:09.675959837 +0200 +++ tardiff/tardiff 2015-10-17 16:40:07.739438492 +0200 @@ -116,15 +116,15 @@ if(-d $file1 and -d $file2){ return 0; }elsif(-f $file1 and -f $file2){ - my $diff = `diff -u $file1 $file2`; + my $diff = `diff $file1 $file2`; if($diff){ if($opt_stats){ my $plus = 0; my $minus = 0; foreach my $line(split(/\n/, $diff)){ - if($line =~ /^+\ /){ + if($line =~ /^>/){ $plus++; - }elsif($line =~ /^-\ /){ + }elsif($line =~ /^ License: GPL-2.0+ Comment: GPL version clarified by upstream author in a non-English e-mail to the package maintainer. Files: debian/* Copyright: 2011 Axel Beckert License: GPL-2.0+ License: GPL-2.0+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". debian/watch0000664000000000000000000000017512711341220010215 0ustar # Compulsory line, this is a version 3 file version=3 # No watchable URL linked on http://tardiff.coolprojects.org/ so far. debian/manpages0000664000000000000000000000002112711341220010670 0ustar debian/tardiff.1 debian/rules0000775000000000000000000000036412711341220010244 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ override_dh_auto_install: install -d $(CURDIR)/debian/tardiff/usr/bin/ install -m 755 tardiff $(CURDIR)/debian/tardiff/usr/bin/