Version in base suite: 240 Base version: diffoscope_240 Target version: diffoscope_240+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/diffoscope/diffoscope_240.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/d/diffoscope/diffoscope_240+deb12u1.dsc /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test1.pyc-renamed |binary /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test2.pyc-renamed |binary diffoscope-240+deb12u1/debian/changelog | 21 +++ diffoscope-240+deb12u1/diffoscope/comparators/python.py | 57 ---------- diffoscope-240+deb12u1/diffoscope/comparators/zip.py | 14 ++ diffoscope-240+deb12u1/tests/comparators/test_python.py | 16 -- diffoscope-240+deb12u1/tests/data/pyc_expected_diff | 17 +- 7 files changed, 48 insertions(+), 77 deletions(-) diff -Nru diffoscope-240/debian/changelog diffoscope-240+deb12u1/debian/changelog --- diffoscope-240/debian/changelog 2023-03-31 08:05:24.000000000 +0000 +++ diffoscope-240+deb12u1/debian/changelog 2024-08-26 10:43:37.000000000 +0000 @@ -1,3 +1,24 @@ +diffoscope (240+deb12u1) stable; urgency=medium + + [ Chris Lamb ] + * Backport a patch by FC (Fay) Stegerman to fix a FTBFS caused by a + .zip-related security fix that was included in Debian's own upload of + python3.11 3.11.2-6+deb12u2 (see #1070133). Diffoscope's testsuite + deliberately excercises a Mozilla-style ZIP file that has its Central + Directory secton at the beginning of the file, rather than at the end. This + breaks the new overlap check in Python's built-in zipfile.py library as + that checks that every entry ends before the Central Directory begins. Many + thanks to Fay for both the patch and related guidance. (Closes: #1078883) + * Do not call marshal.loads() on precompiled Python bytecode as it is + inherently unsafe. The loads() method can easily cause the CPython process + running diffoscope to irretrievably crash (e.g. when presented with a newer + .pyc format), and potentially permit of arbitrary code execution. Replace, + for now, with a brief textual summary of the code section of .pyc files + instead. For more information, see: + + + -- Chris Lamb Mon, 26 Aug 2024 11:43:37 +0100 + diffoscope (240) unstable; urgency=medium [ Holger Levsen ] diff -Nru diffoscope-240/diffoscope/comparators/python.py diffoscope-240+deb12u1/diffoscope/comparators/python.py --- diffoscope-240/diffoscope/comparators/python.py 2023-03-31 08:05:24.000000000 +0000 +++ diffoscope-240+deb12u1/diffoscope/comparators/python.py 2024-08-26 10:43:37.000000000 +0000 @@ -18,13 +18,11 @@ # along with diffoscope. If not, see . import binascii -import dis import io -import marshal +import os import re import struct import time -import types from diffoscope.difference import Difference @@ -78,55 +76,10 @@ filesz = struct.unpack(". import pytest -import sys from diffoscope.comparators.python import PycFile from ..utils.data import assert_diff_startswith, load_fixture from ..utils.nonexisting import assert_non_existing -from ..utils.tools import ( - skipif, - skip_unless_file_version_is_at_least, -) +from ..utils.tools import skip_unless_file_version_is_at_least pyc1 = load_fixture("test1.pyc-renamed") pyc2 = load_fixture("test2.pyc-renamed") @@ -38,7 +34,6 @@ assert isinstance(pyc2, PycFile) -@skipif(sys.version_info >= (3, 10), reason="Unstable on 3.10+") def test_no_differences(pyc1): # Disassembling bytecode prior to Python 3.10 is stable when applied to # itself, otherwise various memory offsets (or memory addresses?) are @@ -52,15 +47,8 @@ @skip_unless_file_version_is_at_least("5.39") -@skipif( - sys.version_info[:2] not in {(3, 9), (3, 10)}, - reason="Only Python 3.9 and 3.10 can de-marshal test1.pyc-renamed", -) def test_diff(differences): - assert_diff_startswith( - differences[0], - "pyc_expected_diff", - ) + assert_diff_startswith(differences[0], "pyc_expected_diff") def test_compare_non_existing(monkeypatch, pyc1): diff -Nru diffoscope-240/tests/data/pyc_expected_diff diffoscope-240+deb12u1/tests/data/pyc_expected_diff --- diffoscope-240/tests/data/pyc_expected_diff 2023-03-31 08:05:24.000000000 +0000 +++ diffoscope-240+deb12u1/tests/data/pyc_expected_diff 2024-08-26 10:43:37.000000000 +0000 @@ -1,11 +1,6 @@ -@@ -1,9 +1,9 @@ - magic: 0x610d0d0a --moddate: 0xbd103561 (Sun Sep 5 18:47:25 2021 UTC) -+moddate: 0xae814d61 (Fri Sep 24 07:43:42 2021 UTC) - files sz: 14217 - code - argcount : 0 - nlocals : 0 - stacksize : 3 - flags : 64 - code +@@ -1,4 +1,4 @@ + magic: 0xcb0d0d0a +-moddate: 0x436ebb66 (Tue Aug 13 14:31:31 2024 UTC) ++moddate: 0x3f6ebb66 (Tue Aug 13 14:31:27 2024 UTC) + files sz: 13 + code: starts at offset 16 (size: 121 bytes) Binary files /srv/release.debian.org/tmp/4pDbWlwI3i/diffoscope-240/tests/data/test1.pyc-renamed and /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test1.pyc-renamed differ Binary files /srv/release.debian.org/tmp/4pDbWlwI3i/diffoscope-240/tests/data/test2.pyc-renamed and /srv/release.debian.org/tmp/pqbWK1k29G/diffoscope-240+deb12u1/tests/data/test2.pyc-renamed differ