Ubuntu
stegosuite package

Should use "$@" with double-quotes

Bug #1878658 reported by Brian Foster
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
stegosuite (Ubuntu)
New
Undecided
Unassigned

Bug Description

stegosuite(1) is a too-simple bash(1) script:

     1 #!/bin/bash
     2
     3 DIRNAME="/usr/share/stegosuite"
     4 STEGOSUITEJAR=$(echo $DIRNAME/stegosuite-*.jar)
     5
     6 # Setup the classpath
     7 if [ ! -f "$STEGOSUITEJAR" ]; then
     8 die "Missing required file: $STEGOSUITEJAR"

1st problem, `die' is neither a bash builtin nor an external command;
it does not exist.

     9 fi
    10
    11 STEGOSUITE_CLASSPATH="$STEGOSUITEJAR"
    12
    13 gtk3_version=`dpkg -s libgtk-3-0|grep '^Version' | cut -d'.' -f2`
    14 swt4_version=`dpkg -s libswt-gtk-4-java|grep '^Version' | cut -d'.' -f2`
    15
    16 # Run with GTK2-fallback if swt<=4.8 and gtk>=3.22
    17 if [ \( "$gtk3_version" -ge 22 \) -a \( "$swt4_version" -le 8 \) ]; then
    18 env SWT_GTK3=0 java -jar $STEGOSUITE_CLASSPATH $@
    19 else
    20 java -jar $STEGOSUITE_CLASSPATH $@
    21 fi

2nd problem (and the issue I ran into), both on lines 18 and 20,
the $@ should be in double-quotes "$@". Because it is not, you
cannot use a passphrase containing, e.g., spaces; that is, a
command similar to the following does not work:

 $ stegosuite -d -e -k 'My *secret* phrase!' -f INPUT -- IMAGE.png

(The `-d' is not necessary, but is useful to see what is going on.)
What precisely happens seems a bit variable — there's also seems
to be a poor command-line parser (3rd problem) — other than it
"doesn't work", sometimes silently (4th problem), and usually
exits with a 0 status (5th problem). And, of course, having a key
on the command-line is rather poor security (6th problem).

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: stegosuite 0.8.0-1
ProcVersionSignature: Ubuntu 4.15.0-99.100-generic 4.15.18
Uname: Linux 4.15.0-99-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.14
Architecture: amd64
CurrentDesktop: KDE
Date: Thu May 14 19:19:47 2020
InstallationDate: Installed on 2016-10-07 (1315 days ago)
InstallationMedia: Kubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
PackageArchitecture: all
SourcePackage: stegosuite
UpgradeStatus: Upgraded to bionic on 2018-08-18 (635 days ago)

Revision history for this message
Brian Foster (blfoster) wrote :
Revision history for this message
Tobias Ilte (tobss) wrote :

Hi, thanks a lot for this bug report. I found it by chance. All your mentioned issues have been resolved with the new version 0.9.0-1. It just arrived in the lunar repos. You can try it out here: https://launchpad.net/ubuntu/+source/stegosuite/0.9.0-1/+build/24622575

For the command-line parser I switch from the old libcommons-cli to the newer super cool libpicocli.

Thanks again for your bug report!
I think the bug can be closed now.

Revision history for this message
Brian Foster (blfoster) wrote :

Thanks for the response!

NO, sorry, the updated 0.9.0 package does NOT seem ready (at least for my fully up-to-date Kubuntu 22.04.1 LTS (jammy) system). It seems to have "gone backwards" and can_NOT_ even be run now!:

   1$ bash -x /usr/bin/stegosuite
   + DIRNAME=/usr/share/stegosuite
   ++ echo /usr/share/stegosuite/stegosuite-0.9.0.jar
   + STEGOSUITEJAR=/usr/share/stegosuite/stegosuite-0.9.0.jar
   + '[' '!' -f /usr/share/stegosuite/stegosuite-0.9.0.jar ']'
   + STEGOSUITE_CLASSPATH=/usr/share/stegosuite/stegosuite-0.9.0.jar
   + java -jar /usr/share/stegosuite/stegosuite-0.9.0.jar
   Error: Unable to initialize main class org.stegosuite.Stegosuite
   Caused by: java.lang.NoClassDefFoundError: picocli/CommandLine$IExecutionStrategy

   2$ dpkg-query --status libpicocli-java
   Package: libpicocli-java
   Status: install ok installed
   Priority: optional
   Section: java
   Installed-Size: 314
   Maintainer: Ubuntu Developers <email address hidden>
   Architecture: all
   Multi-Arch: foreign
   Source: picocli
   Version: 3.9.6-3
   Description: […]
   Homepage: https://picocli.info

I have no idea what is going on here. There is no other package containing anything like "picocli" that I am aware of.

Revision history for this message
Tobias Ilte (tobss) wrote :

Hi, I think it's because Ubuntu 22.04 ships a very old version of libpicocli-java.
Try this more recent version from 22.10: https://packages.ubuntu.com/kinetic/all/libpicocli-java/download

Revision history for this message
Brian Foster (blfoster) wrote :

Yes, that was the problem:

  3$ stegosuite --version
  stegosuite 0.9

  4$ dpkg-query --status stegosuite libpicocli-java
  Package: stegosuite
  Status: install ok installed
  Priority: optional
  Section: graphics
  Installed-Size: 280
  Maintainer: Ubuntu Developers <email address hidden>
  Architecture: all
  Version: 0.9.0-1
  Depends: default-jre | java11-runtime, libswt-cairo-gtk-4-jni, libswt-gtk-4-jni, libpicocli-java, liblogback-java (>= 1.2.11), libslf4j-java (>= 1.7.32), libswt-gtk-4-java
  Description: […]
  Original-Maintainer: Debian Java Maintainers <email address hidden>
  Homepage: https://codeberg.org/tob/stegosuite

  Package: libpicocli-java
  Status: install ok installed
  Priority: optional
  Section: java
  Installed-Size: 451
  Maintainer: Ubuntu Developers <email address hidden>
  Architecture: all
  Multi-Arch: foreign
  Source: picocli
  Version: 4.6.2-2
  Description: […]
  Original-Maintainer: Debian Java Maintainers <email address hidden>
  Homepage: https://picocli.info

Since it is possible to specify a minimum package version (as I see is done for some of the dependencies already), ▶ Specifying a minimum required version for `libpicocli-java' probably should be done also.

Whether or not the problems (plural) in THIS report have been fixed I do not (yet!) know, albeit the signature problem (not using "$@" in the script) no longer exists as the vastly simplified script appears to be using "$@" correctly. I will test further further as time allows; I anticipate it will be some days before I can report back.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.