Devuan bug report logs - #734
report of tcsh square-bracket globbing bug

Package: tcsh; Severity: critical; Reported by: "Robert M. Riches Jr." <[email protected]>; Keywords: debian; Done: Mark Hindley <[email protected]>; Maintainer for tcsh is (unknown).

Message received at [email protected]:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Date: Mon, 9 Jan 2023 16:37:54 +0000
From: Mark Hindley <[email protected]>
To: "Robert M. Riches Jr." <[email protected]>, [email protected]
Subject: Re: bug#734: report of tcsh square-bracket globbing bug
Message-ID: <Y7xC4jCPbFwEXU/[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Version: 6.21.00-2

Closing as fixed in Debian 6.21.00-2

Mark

Notification sent to "Robert M. Riches Jr." <[email protected]>:
bug acknowledged by developer. Full text available.

Reply sent to Mark Hindley <[email protected]>:
You have taken responsibility. Full text available.

Set bug forwarded-to-address to 'https://bugs.debian.org/999754'. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

Added tag(s) debian. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

Message received at [email protected]:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Date: Mon, 9 Jan 2023 16:17:31 +0000
From: Mark Hindley <[email protected]>
To: "Robert M. Riches Jr." <[email protected]>, [email protected]
Subject: Re: bug#734: report of tcsh square-bracket globbing bug
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: tags -1 debian
Control: forwarded -1 https://bugs.debian.org/999754
Control: fixed -1 tcsh/6.21.00-2

Robert,

Many thanks for this.

On Tue, Jan 03, 2023 at 07:45:54PM -0800, Robert M. Riches Jr. wrote:
> Package: tcsh
> Version: 6.21.00-1.1
> Severity: critical
> Justification: causes serious data loss
> Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.

tsch is not a forked package and Devuan uses Debian's packages directly without
recompilation. Fortunately this issue appears to have been reported to Debian's
BTS[1] and is fixed in version 6.21.00-2.

Mark

[1]  https://bugs.debian.org/999754

Information forwarded to [email protected], [email protected]:
bug#734; Package tcsh. Full text available.

Message received at [email protected]:

Received: (at submit) by bugs.devuan.org; 4 Jan 2023 03:46:41 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from email.devuan.org [2001:41d0:2:d06e::5c4:2612]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 04 Jan 2023 03:46:41 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id 7VqKKXv2tGOwcgAAmSBk0A
	(envelope-from <[email protected]>)
	for <[email protected]>; Wed, 04 Jan 2023 03:46:03 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 9C29E1267; Wed,  4 Jan 2023 03:46:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=136.175.108.88; helo=mail-108-mta88.mxroute.com; [email protected]; receiver=<UNKNOWN> 
Received: from mail-108-mta88.mxroute.com (mail-108-mta88.mxroute.com [136.175.108.88])
	by email.devuan.org (Postfix) with ESMTPS id 7053FB11
	for <[email protected]>; Wed,  4 Jan 2023 03:46:02 +0000 (UTC)
Received: from mail-111-mta2.mxroute.com ([136.175.111.2] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta88.mxroute.com (ZoneMTA) with ESMTPSA id 1857ae2be08000011e.001
 for <[email protected]>
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256);
 Wed, 04 Jan 2023 03:45:58 +0000
X-Zone-Loop: a513a91697461ba46e44a92b00087a6743994c1add83
X-Originating-IP: [136.175.111.2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=jacob21819.net; s=x; h=From:Message-Id:Subject:To:Date:Sender:Reply-To:Cc:
	MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=0NnBZIZhfAypN8bbFsMSDNhX8uSa41pQOLaWDnBQ08k=; b=N2PPeGJOgy72hqhUoQKH6iBxW4
	gKZlsrQ7blFPLK0Qk6nPapj8oTfOZh12kqY1oLj6s1Shp2Y+N+4AfUfjmRwCX/My5FNVEzAMHA4X6
	erptGSjJOPALdwMlObf+hsB+Ic/+tVTq/qwBDtHmkuI6c/zyErpM/zRy9ne3+fz5sTOax09yK7iaE
	MazIRiEGgtTyOsoU/IATzet4vWFjoLZFjXP0Rc8Cq+tnwR2clsJ4dULauEzAtegWIwjx6CRr82YOv
	0g3BxArp4WoCBMEprqufk8E9dFKzS257Nkz/6cLyW3u7FLQGaWO2wNHzrFcJyPYierHh6qcq6dyl7
	bZKD6r0A==;
Date: Tue, 03 Jan 2023 19:45:54 -0800
To: [email protected]
Subject: report of tcsh square-bracket globbing bug
User-Agent: s-nail v14.9.22
Message-Id: <[email protected]>
From: "Robert M. Riches Jr." <[email protected]>
X-Authenticated-Id: [email protected]

Package: tcsh
Version: 6.21.00-1.1
Severity: critical
Justification: causes serious data loss
Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.

Dear Maintainer,

(Apologies for sending this outside the reportbug tool.  The tool
refused to send it.  If this report gets accepted, I should file
bug reports against reportbug.)

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 4 (chimaera)
Release:	4
Codename:	chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-20-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages tcsh depends on:
ii  libc6      2.31-13+deb11u5
ii  libcrypt1  1:4.4.18-4
ii  libtinfo6  6.2+20201114-2

tcsh recommends no packages.

tcsh suggests no packages.

-- no debconf information

Square-bracket globbing in this version of tcsh has false
positives, which can cause unintended files to be deleted
(perhaps without being noticed).

To reproduce: In an empty directory do these three commands:

    touch {a,b,c,d,2}{1,2,3}

    echo [a-d]*

    echo [a-d]?

Each of the echo commands prints this (modulo indentation):

    21 22 23 a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

Each of the echo commands SHOULD print this (modulo indentation):

    a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

The man page says this about a hyphen between square brackets:

    Within `[...]', a pair of characters separated by `-' matches
    any character lexically between the two.

"2" is _NOT_ lexically between "a" and "d".  Therefore, the
filenames that start with "2" should not be in the glob
expansion.

This bug can result in files being deleted that should not have
been deleted.

I'm told the bug is fixed in the latest upstream version and
possibly earlier.

Acknowledgement sent to "Robert M. Riches Jr." <[email protected]>:
New bug report received and forwarded. Copy sent to [email protected]. Full text available.

Report forwarded to [email protected], [email protected]:
bug#734; Package tcsh. Full text available.

Devuan bug report logs - #734 report of tcsh square-bracket globbing bug

Message received at [email protected]:

Message received at [email protected]:

Message received at [email protected]:

Devuan bug report logs - #734
report of tcsh square-bracket globbing bug