Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package inkscape inkscape 0.48.3.1-1.2 contains just one fix to fix the vulnerability CVE-2012-5656 (Debian #696485). Since this is the first NMU for inkscape and the changes of the previous NMU have not yet been committed to the inkscape packaging VCS [1], I am including a set of 4 patches which constitute the changes from 0.48.3.1-1 to 0.48.3.1-1.1 and from 0.48.3.1-1.1 to 0.48.3.1-1.2. Relevant for this unblock are the last two patches only, since the version of inkscape in testing is 0.48.3.1-1.1. I am only including the first two patches so that anyone is able to view the changes as compared to HEAD of the packaging VCS [1]. Relevant bug is #696485 [2]. unblock inkscape/0.48.3.1-1.2 Cheers, Adrian > [1] git://git.debian.org/git/collab-maint/inkscape.git > [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696485 -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash
>From 3a8117fa7d075eb8db0aee2fa45f59252f1cb02d Mon Sep 17 00:00:00 2001 From: Pino Toscano <[email protected]> Date: Mon, 24 Dec 2012 00:54:40 +0100 Subject: [PATCH 1/4] - switch the libpng12-dev build dependency to libpng-dev (Closes: #662378) - add the libpoppler-private-dev build dependency (Closes: #660987) --- debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index f54b02e..50990b7 100644 --- a/debian/control +++ b/debian/control @@ -22,7 +22,8 @@ Build-Depends: autoconf, liblcms1-dev, libmagick++-dev, libpango1.0-dev, - libpng12-dev, + libpng-dev, + libpoppler-private-dev, libpoppler-glib-dev, libpopt-dev, libsigc++-2.0-dev (>= 2.0.16-2), -- 1.7.10.4
>From 5a34d3a6f6b0b0d958710e47a4bec61b4a408ad4 Mon Sep 17 00:00:00 2001 From: Pino Toscano <[email protected]> Date: Mon, 24 Dec 2012 00:57:42 +0100 Subject: [PATCH 2/4] Update Debian changelog for 0.48.3.1-1.1. --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 4f92cf4..d1fdf41 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +inkscape (0.48.3.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378) + * Add the libpoppler-private-dev build dependency (closes: #660987) + + -- Pino Toscano <[email protected]> Fri, 15 Jun 2012 16:40:22 +0200 + inkscape (0.48.3.1-1) unstable; urgency=low * [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream -- 1.7.10.4
>From 0a512032d7b98b3e89201d84fb7e09d25add40e9 Mon Sep 17 00:00:00 2001 From: John Paul Adrian Glaubitz <[email protected]> Date: Mon, 24 Dec 2012 00:58:35 +0100 Subject: [PATCH 3/4] Add Debian patch to fix vulnerability CVE-2012-5656. --- debian/patches/03-CVE-2012-5656.diff | 75 ++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 76 insertions(+) create mode 100644 debian/patches/03-CVE-2012-5656.diff diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff new file mode 100644 index 0000000..c787ed4 --- /dev/null +++ b/debian/patches/03-CVE-2012-5656.diff @@ -0,0 +1,75 @@ +From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001 +From: John Paul Adrian Glaubitz <[email protected]> +Date: Sun, 23 Dec 2012 18:22:16 +0100 +Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix + CVE-2012-5656. + +--- + src/preferences-skeleton.h | 4 ++++ + src/ui/dialog/ocaldialogs.cpp | 10 ++++++++-- + src/xml/repr-io.cpp | 8 +++++++- + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h +index 32f4b7c..e4dd2c8 100644 +--- a/src/preferences-skeleton.h ++++ b/src/preferences-skeleton.h +@@ -315,6 +315,10 @@ static char const preferences_skeleton[] = + " clips=\"16711935\"" // 00ff00ff + " masks=\"65535\"/>\n" // 0x0000ffff + " <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n" ++" <group id=\"externalresources\">\n" ++" <group id=\"xml\" " ++" allow_net_access=\"0\"/>\n" ++" </group>\n" + " <group id=\"forkgradientvectors\" value=\"1\"/>\n" + " <group id=\"iconrender\" named_nodelay=\"0\"/>\n" + " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n" +diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp +index 2ae7d69..63c56f7 100644 +--- a/src/ui/dialog/ocaldialogs.cpp ++++ b/src/ui/dialog/ocaldialogs.cpp +@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback() + xmlDoc *doc = NULL; + xmlNode *root_element = NULL; + ++ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185 ++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false); ++ if (!allowNetAccess) { ++ parse_options |= XML_PARSE_NONET; ++ } ++ + doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback, +- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, +- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR); ++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options); + if (doc == NULL) { + sp_ui_error_dialog(_("Server supplied malformed Clip Art feed")); + g_warning("Failed to parse %s\n", uri.c_str()); +diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp +index fa5e9b6..088b505 100644 +--- a/src/xml/repr-io.cpp ++++ b/src/xml/repr-io.cpp +@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns) + XmlSource src; + + if ( (src.setFile(filename) == 0) ) { ++ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185 ++ Inkscape::Preferences *prefs = Inkscape::Preferences::get(); ++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false); ++ if (!allowNetAccess) { ++ parse_options |= XML_PARSE_NONET; ++ } + doc = xmlReadIO( XmlSource::readCb, + XmlSource::closeCb, + &src, + localFilename, + src.getEncoding(), +- XML_PARSE_NOENT ); ++ parse_options); + } + } + +-- +1.7.10.4 + diff --git a/debian/patches/series b/debian/patches/series index 08294b7..bd4ef57 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 01-fix-datamatrix-ui.dpatch 02-drop-pdf-ps.diff +03-CVE-2012-5656.diff -- 1.7.10.4
>From b1d5c31311cd7f4113b739db99f60b53368c0cac Mon Sep 17 00:00:00 2001 From: John Paul Adrian Glaubitz <[email protected]> Date: Mon, 24 Dec 2012 01:00:06 +0100 Subject: [PATCH 4/4] Update Debian changelog for 0.48.3.1-1.2. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index d1fdf41..8505588 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +inkscape (0.48.3.1-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485). + + -- John Paul Adrian Glaubitz <[email protected]> Mon, 24 Dec 2012 00:58:56 +0100 + inkscape (0.48.3.1-1.1) unstable; urgency=low * Non-maintainer upload. -- 1.7.10.4
