-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 26 Aug 2024 11:43:37 +0100 Source: diffoscope Built-For-Profiles: nocheck Architecture: source Version: 240+deb12u1 Distribution: stable Urgency: medium Maintainer: Reproducible builds folks <reproducible-builds@lists.alioth.debian.org> Changed-By: Chris Lamb <lamby@debian.org> Closes: 1078883 Changes: diffoscope (240+deb12u1) stable; urgency=medium . [ Chris Lamb ] * Backport a patch by FC (Fay) Stegerman to fix a FTBFS caused by a .zip-related security fix that was included in Debian's own upload of python3.11 3.11.2-6+deb12u2 (see #1070133). Diffoscope's testsuite deliberately excercises a Mozilla-style ZIP file that has its Central Directory secton at the beginning of the file, rather than at the end. This breaks the new overlap check in Python's built-in zipfile.py library as that checks that every entry ends before the Central Directory begins. Many thanks to Fay for both the patch and related guidance. (Closes: #1078883) * Do not call marshal.loads() on precompiled Python bytecode as it is inherently unsafe. The loads() method can easily cause the CPython process running diffoscope to irretrievably crash (e.g. when presented with a newer .pyc format), and potentially permit of arbitrary code execution. Replace, for now, with a brief textual summary of the code section of .pyc files instead. For more information, see: <https://salsa.debian.org/reproducible-builds/diffoscope/-/issues/371> Checksums-Sha1: 618824e4657b53c86c5403b724286e8336228ad3 5183 diffoscope_240+deb12u1.dsc 3fc068320bad4c5e4bf98cbd1b8170549cdaa473 2442344 diffoscope_240+deb12u1.tar.xz c891561479979bc901a4863d2e38c56730b71ee5 7234 diffoscope_240+deb12u1_amd64.buildinfo Checksums-Sha256: 5107c359ec1637d82e8041160b22054123d21fcf500e9358fdcdac904c8fb1b8 5183 diffoscope_240+deb12u1.dsc 88c102de0011563bac39f8c8a5b19304e926600fd225aa6d5c108e2b0fc16adc 2442344 diffoscope_240+deb12u1.tar.xz 38711632fbf6dd0447c7817000d2bad076fbb48df0ebc167ba38cd92674e0715 7234 diffoscope_240+deb12u1_amd64.buildinfo Files: 468c71271c19c5e272b3b46827e9d743 5183 devel optional diffoscope_240+deb12u1.dsc 05e75e2b148bfa807f36454b2ec06c24 2442344 devel optional diffoscope_240+deb12u1.tar.xz cdaf26b8ffe90ba684ae089f881d870e 7234 devel optional diffoscope_240+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmbW1UgACgkQHpU+J9Qx HliUgxAAhfX9w/UYU4VoZzxtSVxTrP5ZG+rsK+vo9z0aAahQD+dGWbXJniJnl8AM ahl5D+lshKpkBIDiYiDTXeLY04UjIIBEbQYZKrgjDcmm2L3Kk1/6/PCtYbR3AhrB jUyH9EKP7PH7w/+aij1BvbvOGmnNXBJzV3MbEQft8w1haE7VvZKRTVaOSoeDE/jr CKlZzKP6tfZOQyk0Iehur7e/nbxKEx5oE0QDqbu/XkPBS6ztMHzvrWMvsov7i8Jy HjIeCtvCCYLCeNQXdnKuxc1VLXuimJMJRwrdR/AI+/XN9vCfMsOiXdE0K0joQg8S 1Pn9hXzWeO2bW5uRCN6E9GtFmHUWek9UWdILX0DPGfoiWc5hvZl92pBuHrbLtYn9 lHdqKSut1Eg8szY7skLI1CD6AIriObvEFwXiVJ1fZ088rUf7pQxWHSKPKm3t7btF sPUPgEVoJ2Y0GygnVxA73/JJIh/9HXVAfEbEWAAo0MzAo62bPTof3zux/6gsRJ22 kD24ilaiRfBL5PssGwl3Qn68sK+95ZvP87pgjnjYsjWEJWFV3xfhlqFEOVtdcp09 eN0oHCXd9CTR996V/qsokvf+5z7uVnpJ6B66vxDu9nzFLEcHbt45yVLGtic2qtkr rG7HHNEeY2A5vwaHk4+Mcn5edLh11qmlipblbJxYafOTQWZmdHc= =Ywa4 -----END PGP SIGNATURE-----