Discussion:
configure.in is missing but...
(too old to reply)
Eriberto Mota
2017-11-24 11:14:07 UTC
Permalink
Hi,

In #882538, Helmut pointed that outguess[1] has a configure file[2]
generated by a missing configure.in. He considers that configure, an
interpreted script (shell), has no source code because the following
lines:

# Generated automatically using autoconf version 2.12
[...]
# Any additions from configure.in:
[...]

The script also has a notice:

# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.

IMHO, the configure script can't be regenerated from a configure.ac or
configure.in but it can be modified to work if it is necessary. It is
similar to traditional configure file, made by hand. I don't see a
real problem here. However, Pabs agrees with Helmut here[3].

I still have doubts about if this situation is a DFSG violation and I
need more opinions.

Thanks a lot in advance.

Regards,

Eriberto

[1] https://tracker.debian.org/pkg/outguess
[2] https://sources.debian.net/src/outguess/1:0.2-8/jpeg-6b-steg/configure/
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882538#20
Ian Jackson
2017-11-24 13:33:48 UTC
Permalink
Post by Eriberto Mota
In #882538, Helmut pointed that outguess[1] has a configure file[2]
generated by a missing configure.in. He considers that configure, an
interpreted script (shell), has no source code because the following
...
Post by Eriberto Mota
I still have doubts about if this situation is a DFSG violation and I
need more opinions.
Pabs and Helmut are right.

Can't you find a copy of the configure.ac somewhere ? If not, you may
be able to reconstruct one. Skimreading the configure script suggests
that wouldn't be too hard.

Ian.
--
Ian Jackson <***@chiark.greenend.org.uk> These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Paul Wise
2017-11-25 04:13:13 UTC
Permalink
Post by Ian Jackson
Can't you find a copy of the configure.ac somewhere ? If not, you may
be able to reconstruct one. Skimreading the configure script suggests
that wouldn't be too hard.
It looks like the jpeg-6b-steg is a modified embedded code copy of
libjpeg6b. outguess upstream really should send their patches in
jpeg-6b-steg.diff to libjpeg upstream and remove the copy. I expect
that outguess is probably vulnerable to the various libjpeg CVEs that
have been released over the years.

Looking at the unmodified source code, libjpeg upstream didn't release
their configure.ac file until libjpeg7:

http://ijg.org/files/jpegsrc.v6b.tar.gz
http://ijg.org/files/jpegsrc.v7.tar.gz

So I think what needs to happen here is that outguess needs a proper
upstream project to exist and be active, remove the embedded code copy
and port the diff to a newer libjpeg and upstream that and then get
that uploaded to Debian.
--
bye,
pabs

https://wiki.debian.org/PaulWise
Eriberto Mota
2017-11-26 21:25:22 UTC
Permalink
Post by Paul Wise
Post by Ian Jackson
Can't you find a copy of the configure.ac somewhere ? If not, you may
be able to reconstruct one. Skimreading the configure script suggests
that wouldn't be too hard.
Thanks Ian,

At first glance, creating a new configure.ac seems a bit hard. I
already made some configure.ac for some projects. However, I am not
the upstream and it is a complicating factor. I will try make
something.
Post by Paul Wise
It looks like the jpeg-6b-steg is a modified embedded code copy of
libjpeg6b. outguess upstream really should send their patches in
jpeg-6b-steg.diff to libjpeg upstream and remove the copy. I expect
that outguess is probably vulnerable to the various libjpeg CVEs that
have been released over the years.
Looking at the unmodified source code, libjpeg upstream didn't release
http://ijg.org/files/jpegsrc.v6b.tar.gz
http://ijg.org/files/jpegsrc.v7.tar.gz
Thanks a lot Paul. It is a good catch.
Post by Paul Wise
So I think what needs to happen here is that outguess needs a proper
upstream project to exist and be active, remove the embedded code copy
and port the diff to a newer libjpeg and upstream that and then get
that uploaded to Debian.
I agree.

Cheers,

Eriberto

Continue reading on narkive:
Loading...