Package: tcsh
Version: 6.21.00-1.1
Severity: critical
Justification: causes serious data loss
Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.

Dear Maintainer,

(Apologies for sending this outside the reportbug tool. The tool
refused to send it. If this report gets accepted, I should file
bug reports against reportbug.)

-- System Information:
Distributor ID:    Devuan
Description:    Devuan GNU/Linux 4 (chimaera)
Release:    4
Codename:    chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-20-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages tcsh depends on:
ii  libc6      2.31-13+deb11u5
ii  libcrypt1  1:4.4.18-4
ii  libtinfo6  6.2+20201114-2

tcsh recommends no packages.

tcsh suggests no packages.

-- no debconf information

Square-bracket globbing in this version of tcsh has false
positives, which can cause unintended files to be deleted
(perhaps without being noticed).

To reproduce: In an empty directory do these three commands:

    touch {a,b,c,d,2}{1,2,3}

    echo [a-d]*

    echo [a-d]?

Each of the echo commands prints this (modulo indentation):

    21 22 23 a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

Each of the echo commands SHOULD print this (modulo indentation):

    a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

The man page says this about a hyphen between square brackets:

    Within `[...]', a pair of characters separated by `-' matches
    any character lexically between the two.

"2" is _NOT_ lexically between "a" and "d". Therefore, the
filenames that start with "2" should not be in the glob
expansion.

This bug can result in files being deleted that should not have
been deleted.

I'm told the bug is fixed in the latest upstream version and
possibly earlier.