Devuan bug report logs -
#734
report of tcsh square-bracket globbing bug
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#734; Package tcsh.
(Wed, 04 Jan 2023 03:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Robert M. Riches Jr." <rm.riches@jacob21819.net>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org.
(Wed, 04 Jan 2023 03:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):
Package: tcsh
Version: 6.21.00-1.1
Severity: critical
Justification: causes serious data loss
Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.
Dear Maintainer,
(Apologies for sending this outside the reportbug tool. The tool
refused to send it. If this report gets accepted, I should file
bug reports against reportbug.)
-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 4 (chimaera)
Release: 4
Codename: chimaera
Architecture: x86_64
Kernel: Linux 5.10.0-20-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled
Versions of packages tcsh depends on:
ii libc6 2.31-13+deb11u5
ii libcrypt1 1:4.4.18-4
ii libtinfo6 6.2+20201114-2
tcsh recommends no packages.
tcsh suggests no packages.
-- no debconf information
Square-bracket globbing in this version of tcsh has false
positives, which can cause unintended files to be deleted
(perhaps without being noticed).
To reproduce: In an empty directory do these three commands:
touch {a,b,c,d,2}{1,2,3}
echo [a-d]*
echo [a-d]?
Each of the echo commands prints this (modulo indentation):
21 22 23 a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3
Each of the echo commands SHOULD print this (modulo indentation):
a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3
The man page says this about a hyphen between square brackets:
Within `[...]', a pair of characters separated by `-' matches
any character lexically between the two.
"2" is _NOT_ lexically between "a" and "d". Therefore, the
filenames that start with "2" should not be in the glob
expansion.
This bug can result in files being deleted that should not have
been deleted.
I'm told the bug is fixed in the latest upstream version and
possibly earlier.
Information forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#734; Package tcsh.
(Mon, 09 Jan 2023 16:20:02 GMT) (full text, mbox, link).
Message #8 received at 734@bugs.devuan.org (full text, mbox, reply):
Control: tags -1 debian
Control: forwarded -1 https://bugs.debian.org/999754
Control: fixed -1 tcsh/6.21.00-2
Robert,
Many thanks for this.
On Tue, Jan 03, 2023 at 07:45:54PM -0800, Robert M. Riches Jr. wrote:
> Package: tcsh
> Version: 6.21.00-1.1
> Severity: critical
> Justification: causes serious data loss
> Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.
tsch is not a forked package and Devuan uses Debian's packages directly without
recompilation. Fortunately this issue appears to have been reported to Debian's
BTS[1] and is fixed in version 6.21.00-2.
Mark
[1] https://bugs.debian.org/999754
Added tag(s) debian.
Request was from Mark Hindley <mark@hindley.org.uk>
to 734-submit@bugs.devuan.org.
(Mon, 09 Jan 2023 16:20:06 GMT) (full text, mbox, link).
Reply sent
to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility.
(Mon, 09 Jan 2023 16:40:02 GMT) (full text, mbox, link).
Notification sent
to "Robert M. Riches Jr." <rm.riches@jacob21819.net>:
bug acknowledged by developer.
(Mon, 09 Jan 2023 16:40:03 GMT) (full text, mbox, link).
Message #17 received at 734-done@bugs.devuan.org (full text, mbox, reply):
Version: 6.21.00-2
Closing as fixed in Debian 6.21.00-2
Mark
Send a report that this bug log contains spam.