[Git][reproducible-builds/diffoscope][bookworm] 2 commits: Don't bother to check version number in test_python.py: the fixture for this test is fixed.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Wed Aug 28 12:19:17 UTC 2024
Chris Lamb pushed to branch bookworm at Reproducible Builds / diffoscope
Commits:
8052ceb5 by Chris Lamb at 2024-08-27T12:17:37+01:00
Don't bother to check version number in test_python.py: the fixture for this test is fixed.
- - - - -
4ac21f50 by Chris Lamb at 2024-08-28T13:17:44+01:00
releasing package diffoscope version 240+deb12u1
- - - - -
2 changed files:
- debian/changelog
- tests/comparators/test_python.py
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,24 @@
+diffoscope (240+deb12u1) stable; urgency=medium
+
+ [ Chris Lamb ]
+ * Backport a patch by FC (Fay) Stegerman to fix a FTBFS caused by a
+ .zip-related security fix that was included in Debian's own upload of
+ python3.11 3.11.2-6+deb12u2 (see #1070133). Diffoscope's testsuite
+ deliberately excercises a Mozilla-style ZIP file that has its Central
+ Directory secton at the beginning of the file, rather than at the end. This
+ breaks the new overlap check in Python's built-in zipfile.py library as
+ that checks that every entry ends before the Central Directory begins. Many
+ thanks to Fay for both the patch and related guidance. (Closes: #1078883)
+ * Do not call marshal.loads() on precompiled Python bytecode as it is
+ inherently unsafe. The loads() method can easily cause the CPython process
+ running diffoscope to irretrievably crash (e.g. when presented with a newer
+ .pyc format), and potentially permit of arbitrary code execution. Replace,
+ for now, with a brief textual summary of the code section of .pyc files
+ instead. For more information, see:
+ <https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371>
+
+ -- Chris Lamb <lamby at debian.org> Mon, 26 Aug 2024 11:43:37 +0100
+
diffoscope (240) unstable; urgency=medium
[ Holger Levsen ]
=====================================
tests/comparators/test_python.py
=====================================
@@ -17,39 +17,23 @@
# along with diffoscope. If not, see <https://www.gnu.org/licenses/>.
import pytest
-import sys
from diffoscope.comparators.python import PycFile
from ..utils.data import assert_diff_startswith, load_fixture
from ..utils.nonexisting import assert_non_existing
-from ..utils.tools import (
- skipif,
- skip_unless_file_version_is_at_least,
-)
+from ..utils.tools import skip_unless_file_version_is_at_least
pyc1 = load_fixture("test1.pyc-renamed")
pyc2 = load_fixture("test2.pyc-renamed")
-def skip_unless_correct_python_version():
- TEST_FIXTURES_GENERATED_BY = (3, 12)
-
- display = ".".join(str(x) for x in TEST_FIXTURES_GENERATED_BY)
-
- return skipif(
- sys.version_info[:2] != TEST_FIXTURES_GENERATED_BY,
- reason=f"Only Python {display} can de-marshal test1.pyc-renamed",
- )
-
-
@skip_unless_file_version_is_at_least("5.39")
def test_identification(pyc1, pyc2):
assert isinstance(pyc1, PycFile)
assert isinstance(pyc2, PycFile)
- at skip_unless_correct_python_version()
def test_no_differences(pyc1):
# Disassembling bytecode prior to Python 3.10 is stable when applied to
# itself, otherwise various memory offsets (or memory addresses?) are
@@ -63,7 +47,6 @@ def differences(pyc1, pyc2):
@skip_unless_file_version_is_at_least("5.39")
- at skip_unless_correct_python_version()
def test_diff(differences):
assert_diff_startswith(differences[0], "pyc_expected_diff")
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/8bb698c301da9b97fab6769817b80f938ee6e0c5...4ac21f509a10182098eb7c1d100d3379913c30ff
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/compare/8bb698c301da9b97fab6769817b80f938ee6e0c5...4ac21f509a10182098eb7c1d100d3379913c30ff
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20240828/3f83c396/attachment.htm>
More information about the rb-commits
mailing list