Version in base suite: 240

Base version: diffoscope_240
Target version: diffoscope_240+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/diffoscope/diffoscope_240.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/diffoscope/diffoscope_240+deb12u1.dsc

 /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test1.pyc-renamed |binary
 /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test2.pyc-renamed |binary
 diffoscope-240+deb12u1/debian/changelog                                                    |   21 +++
 diffoscope-240+deb12u1/diffoscope/comparators/python.py                                    |   57 ----------
 diffoscope-240+deb12u1/diffoscope/comparators/zip.py                                       |   14 ++
 diffoscope-240+deb12u1/tests/comparators/test_python.py                                    |   16 --
 diffoscope-240+deb12u1/tests/data/pyc_expected_diff                                        |   17 +-
 7 files changed, 48 insertions(+), 77 deletions(-)

diff -Nru diffoscope-240/debian/changelog diffoscope-240+deb12u1/debian/changelog
--- diffoscope-240/debian/changelog	2023-03-31 08:05:24.000000000 +0000
+++ diffoscope-240+deb12u1/debian/changelog	2024-08-26 10:43:37.000000000 +0000
@@ -1,3 +1,24 @@
+diffoscope (240+deb12u1) stable; urgency=medium
+
+  [ Chris Lamb ]
+  * Backport a patch by FC (Fay) Stegerman to fix a FTBFS caused by a
+    .zip-related security fix that was included in Debian's own upload of
+    python3.11 3.11.2-6+deb12u2 (see #1070133). Diffoscope's testsuite
+    deliberately excercises a Mozilla-style ZIP file that has its Central
+    Directory secton at the beginning of the file, rather than at the end. This
+    breaks the new overlap check in Python's built-in zipfile.py library as
+    that checks that every entry ends before the Central Directory begins. Many
+    thanks to Fay for both the patch and related guidance. (Closes: #1078883)
+  * Do not call marshal.loads() on precompiled Python bytecode as it is
+    inherently unsafe. The loads() method can easily cause the CPython process
+    running diffoscope to irretrievably crash (e.g. when presented with a newer
+    .pyc format), and potentially permit of arbitrary code execution. Replace,
+    for now, with a brief textual summary of the code section of .pyc files
+    instead. For more information, see:
+    <https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371>
+
+ -- Chris Lamb <lamby@debian.org>  Mon, 26 Aug 2024 11:43:37 +0100
+
 diffoscope (240) unstable; urgency=medium
 
   [ Holger Levsen ]
diff -Nru diffoscope-240/diffoscope/comparators/python.py diffoscope-240+deb12u1/diffoscope/comparators/python.py
--- diffoscope-240/diffoscope/comparators/python.py	2023-03-31 08:05:24.000000000 +0000
+++ diffoscope-240+deb12u1/diffoscope/comparators/python.py	2024-08-26 10:43:37.000000000 +0000
@@ -18,13 +18,11 @@
 # along with diffoscope.  If not, see <https://www.gnu.org/licenses/>.
 
 import binascii
-import dis
 import io
-import marshal
+import os
 import re
 import struct
 import time
-import types
 
 from diffoscope.difference import Difference
 
@@ -78,55 +76,10 @@
     filesz = struct.unpack("<L", filesz)
     yield f"files sz: {filesz[0]}"
 
-    code = marshal.load(f)
-    yield from show_code(code)
-
-
-def show_code(code, indent=""):
-    yield f"{indent}code"
-
-    indent += "   "
-
-    for x in ("argcount", "nlocals", "stacksize", "flags"):
-        yield "{}{: <10}: {!r}".format(indent, x, getattr(code, f"co_{x}"))
-
-    yield from show_hex("code", code.co_code, indent=indent)
-    s = io.StringIO()
-    dis.disassemble(code, file=s)
-    for x in s.getvalue().splitlines():
-        yield "{}{}".format(indent, re_memory_address.sub("", x))
-
-    yield f"{indent}consts"
-    for const in code.co_consts:
-        if isinstance(const, types.CodeType):
-            yield from show_code(const, f"{indent}   ")
-        else:
-            yield f"   {indent}{const!r}"
-
-    for x in (
-        "names",
-        "varnames",
-        "freevars",
-        "cellvars",
-        "filename",
-        "name",
-        "firstlineno",
-    ):
-        yield "{}{: <10} {!r}".format(indent, x, getattr(code, f"co_{x}"))
-
-    yield from show_hex("lnotab", code.co_lnotab, indent=indent)
-
-
-def show_hex(label, val, indent):
-    val = hexlify(val)
-
-    if len(val) < 60:
-        yield f"{indent}{label} {val}"
-        return
-
-    yield f"{indent}{label}"
-    for i in range(0, len(val), 60):
-        yield "{}   {}".format(indent, val[i : i + 60])
+    start = f.tell()
+    f.seek(0, os.SEEK_END)
+    size = f.tell() - start
+    yield f"code:     starts at offset {start} (size: {size} bytes)"
 
 
 def hexlify(val):
diff -Nru diffoscope-240/diffoscope/comparators/zip.py diffoscope-240+deb12u1/diffoscope/comparators/zip.py
--- diffoscope-240/diffoscope/comparators/zip.py	2023-03-31 08:05:24.000000000 +0000
+++ diffoscope-240+deb12u1/diffoscope/comparators/zip.py	2024-08-26 10:43:37.000000000 +0000
@@ -266,10 +266,13 @@
         # This is gross: Monkeypatch zipfile._EndRecData to work with
         # Mozilla-optimized ZIPs
         _orig_EndRecData = zipfile._EndRecData
+        eocd_offset = None
 
         def _EndRecData(fh):
             endrec = _orig_EndRecData(fh)
             if endrec:
+                nonlocal eocd_offset
+                eocd_offset = endrec[zipfile._ECD_LOCATION]
                 endrec[zipfile._ECD_LOCATION] = (
                     endrec[zipfile._ECD_OFFSET] + endrec[zipfile._ECD_SIZE]
                 )
@@ -278,6 +281,17 @@
         zipfile._EndRecData = _EndRecData
         result = super(MozillaZipContainer, self).open_archive()
         zipfile._EndRecData = _orig_EndRecData
+        # fix _end_offset after https://github.com/python/cpython/pull/110016
+        # added a check that fails because the central directory comes before
+        # the entries in these files
+        zinfos = sorted(
+            result.filelist,
+            key=lambda zinfo: zinfo.header_offset,
+            reverse=True,
+        )
+        if zinfos:
+            if hasattr(zinfos[0], "_end_offset"):
+                zinfos[0]._end_offset = eocd_offset
         return result
 
 
diff -Nru diffoscope-240/tests/comparators/test_python.py diffoscope-240+deb12u1/tests/comparators/test_python.py
--- diffoscope-240/tests/comparators/test_python.py	2023-03-31 08:05:24.000000000 +0000
+++ diffoscope-240+deb12u1/tests/comparators/test_python.py	2024-08-26 10:43:37.000000000 +0000
@@ -17,16 +17,12 @@
 # along with diffoscope.  If not, see <https://www.gnu.org/licenses/>.
 
 import pytest
-import sys
 
 from diffoscope.comparators.python import PycFile
 
 from ..utils.data import assert_diff_startswith, load_fixture
 from ..utils.nonexisting import assert_non_existing
-from ..utils.tools import (
-    skipif,
-    skip_unless_file_version_is_at_least,
-)
+from ..utils.tools import skip_unless_file_version_is_at_least
 
 pyc1 = load_fixture("test1.pyc-renamed")
 pyc2 = load_fixture("test2.pyc-renamed")
@@ -38,7 +34,6 @@
     assert isinstance(pyc2, PycFile)
 
 
-@skipif(sys.version_info >= (3, 10), reason="Unstable on 3.10+")
 def test_no_differences(pyc1):
     # Disassembling bytecode prior to Python 3.10 is stable when applied to
     # itself, otherwise various memory offsets (or memory addresses?) are
@@ -52,15 +47,8 @@
 
 
 @skip_unless_file_version_is_at_least("5.39")
-@skipif(
-    sys.version_info[:2] not in {(3, 9), (3, 10)},
-    reason="Only Python 3.9 and 3.10 can de-marshal test1.pyc-renamed",
-)
 def test_diff(differences):
-    assert_diff_startswith(
-        differences[0],
-        "pyc_expected_diff",
-    )
+    assert_diff_startswith(differences[0], "pyc_expected_diff")
 
 
 def test_compare_non_existing(monkeypatch, pyc1):
diff -Nru diffoscope-240/tests/data/pyc_expected_diff diffoscope-240+deb12u1/tests/data/pyc_expected_diff
--- diffoscope-240/tests/data/pyc_expected_diff	2023-03-31 08:05:24.000000000 +0000
+++ diffoscope-240+deb12u1/tests/data/pyc_expected_diff	2024-08-26 10:43:37.000000000 +0000
@@ -1,11 +1,6 @@
-@@ -1,9 +1,9 @@
- magic:    0x610d0d0a
--moddate:  0xbd103561 (Sun Sep  5 18:47:25 2021 UTC)
-+moddate:  0xae814d61 (Fri Sep 24 07:43:42 2021 UTC)
- files sz: 14217
- code
-    argcount  : 0
-    nlocals   : 0
-    stacksize : 3
-    flags     : 64
-    code
+@@ -1,4 +1,4 @@
+ magic:    0xcb0d0d0a
+-moddate:  0x436ebb66 (Tue Aug 13 14:31:31 2024 UTC)
++moddate:  0x3f6ebb66 (Tue Aug 13 14:31:27 2024 UTC)
+ files sz: 13
+ code:     starts at offset 16 (size: 121 bytes)
Binary files /srv/release.debian.org/tmp/4pDbWlwI3i/diffoscope-240/tests/data/test1.pyc-renamed and /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test1.pyc-renamed differ
Binary files /srv/release.debian.org/tmp/4pDbWlwI3i/diffoscope-240/tests/data/test2.pyc-renamed and /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test2.pyc-renamed differ