[Git][reproducible-builds/diffoscope][bookworm] 2 commits: Don't bother to check version number in test_python.py: the fixture for this test is fixed.

Chris Lamb (@lamby) gitlab at salsa.debian.org
Wed Aug 28 12:19:17 UTC 2024



Chris Lamb pushed to branch bookworm at Reproducible Builds / diffoscope


Commits:
8052ceb5 by Chris Lamb at 2024-08-27T12:17:37+01:00
Don't bother to check version number in test_python.py: the fixture for this test is fixed.

- - - - -
4ac21f50 by Chris Lamb at 2024-08-28T13:17:44+01:00
releasing package diffoscope version 240+deb12u1

- - - - -


2 changed files:

- debian/changelog
- tests/comparators/test_python.py


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,24 @@
+diffoscope (240+deb12u1) stable; urgency=medium
+
+  [ Chris Lamb ]
+  * Backport a patch by FC (Fay) Stegerman to fix a FTBFS caused by a
+    .zip-related security fix that was included in Debian's own upload of
+    python3.11 3.11.2-6+deb12u2 (see #1070133). Diffoscope's testsuite
+    deliberately excercises a Mozilla-style ZIP file that has its Central
+    Directory secton at the beginning of the file, rather than at the end. This
+    breaks the new overlap check in Python's built-in zipfile.py library as
+    that checks that every entry ends before the Central Directory begins. Many
+    thanks to Fay for both the patch and related guidance. (Closes: #1078883)
+  * Do not call marshal.loads() on precompiled Python bytecode as it is
+    inherently unsafe. The loads() method can easily cause the CPython process
+    running diffoscope to irretrievably crash (e.g. when presented with a newer
+    .pyc format), and potentially permit of arbitrary code execution. Replace,
+    for now, with a brief textual summary of the code section of .pyc files
+    instead. For more information, see:
+    <https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371>
+
+ -- Chris Lamb <lamby at debian.org>  Mon, 26 Aug 2024 11:43:37 +0100
+
 diffoscope (240) unstable; urgency=medium
 
   [ Holger Levsen ]


=====================================
tests/comparators/test_python.py
=====================================
@@ -17,39 +17,23 @@
 # along with diffoscope.  If not, see <https://www.gnu.org/licenses/>.
 
 import pytest
-import sys
 
 from diffoscope.comparators.python import PycFile
 
 from ..utils.data import assert_diff_startswith, load_fixture
 from ..utils.nonexisting import assert_non_existing
-from ..utils.tools import (
-    skipif,
-    skip_unless_file_version_is_at_least,
-)
+from ..utils.tools import skip_unless_file_version_is_at_least
 
 pyc1 = load_fixture("test1.pyc-renamed")
 pyc2 = load_fixture("test2.pyc-renamed")
 
 
-def skip_unless_correct_python_version():
-    TEST_FIXTURES_GENERATED_BY = (3, 12)
-
-    display = ".".join(str(x) for x in TEST_FIXTURES_GENERATED_BY)
-
-    return skipif(
-        sys.version_info[:2] != TEST_FIXTURES_GENERATED_BY,
-        reason=f"Only Python {display} can de-marshal test1.pyc-renamed",
-    )
-
-
 @skip_unless_file_version_is_at_least("5.39")
 def test_identification(pyc1, pyc2):
     assert isinstance(pyc1, PycFile)
     assert isinstance(pyc2, PycFile)
 
 
- at skip_unless_correct_python_version()
 def test_no_differences(pyc1):
     # Disassembling bytecode prior to Python 3.10 is stable when applied to
     # itself, otherwise various memory offsets (or memory addresses?) are
@@ -63,7 +47,6 @@ def differences(pyc1, pyc2):
 
 
 @skip_unless_file_version_is_at_least("5.39")
- at skip_unless_correct_python_version()
 def test_diff(differences):
     assert_diff_startswith(differences[0], "pyc_expected_diff")
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/8bb698c301da9b97fab6769817b80f938ee6e0c5...4ac21f509a10182098eb7c1d100d3379913c30ff

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/8bb698c301da9b97fab6769817b80f938ee6e0c5...4ac21f509a10182098eb7c1d100d3379913c30ff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240828/3f83c396/attachment.htm>


More information about the rb-commits mailing list