Hi Julien, I have built a new version 0.48.3.1-1.3 and uploaded it into unstable.
Version 0.48.3.1-1.3 also includes a fix for a second security issue [1] in addition to CVE-2012-5656. A detailed explanation of the fix can be found in the bug report and the upstream bug report [2]. I also fixed the source package as I built it with "git-buildpackage --git-pbuilder" now. Do you want me to file a new unblock request or is this one sufficient? I am attaching all patches showing the differences between 0.48.3.1-1 and 0.48.3.1-1.3. Cheers, Adrian > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654341 > [2] https://bugs.launchpad.net/inkscape/+bug/911146 -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - [email protected] `. `' Freie Universitaet Berlin - [email protected] `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>From fd837b10f2fb8c48a308c4a3ddba8dd79609418d Mon Sep 17 00:00:00 2001 From: Pino Toscano <[email protected]> Date: Sat, 29 Dec 2012 18:34:12 +0100 Subject: [PATCH 1/6] - switch the libpng12-dev build dependency to libpng-dev - add the libpoppler-private-dev build dependency --- debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index f54b02e..50990b7 100644 --- a/debian/control +++ b/debian/control @@ -22,7 +22,8 @@ Build-Depends: autoconf, liblcms1-dev, libmagick++-dev, libpango1.0-dev, - libpng12-dev, + libpng-dev, + libpoppler-private-dev, libpoppler-glib-dev, libpopt-dev, libsigc++-2.0-dev (>= 2.0.16-2), -- 1.7.10.4
>From 0cc17c45fbfd0ca198d61f86a49e082f2499eaa2 Mon Sep 17 00:00:00 2001 From: Pino Toscano <[email protected]> Date: Sat, 29 Dec 2012 19:00:14 +0100 Subject: [PATCH 2/6] Update Debian changelog for 0.48.3.1-1.1. --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 4f92cf4..d1fdf41 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +inkscape (0.48.3.1-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378) + * Add the libpoppler-private-dev build dependency (closes: #660987) + + -- Pino Toscano <[email protected]> Fri, 15 Jun 2012 16:40:22 +0200 + inkscape (0.48.3.1-1) unstable; urgency=low * [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream -- 1.7.10.4
>From f74d957bdac1a39e62d2e12bc8dfd1e191afedaa Mon Sep 17 00:00:00 2001 From: John Paul Adrian Glaubitz <[email protected]> Date: Sat, 29 Dec 2012 19:04:14 +0100 Subject: [PATCH 3/6] Add Debian patch to fix vulnerability CVE-2012-5656. --- debian/patches/03-CVE-2012-5656.diff | 75 ++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 76 insertions(+) create mode 100644 debian/patches/03-CVE-2012-5656.diff diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff new file mode 100644 index 0000000..c787ed4 --- /dev/null +++ b/debian/patches/03-CVE-2012-5656.diff @@ -0,0 +1,75 @@ +From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001 +From: John Paul Adrian Glaubitz <[email protected]> +Date: Sun, 23 Dec 2012 18:22:16 +0100 +Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix + CVE-2012-5656. + +--- + src/preferences-skeleton.h | 4 ++++ + src/ui/dialog/ocaldialogs.cpp | 10 ++++++++-- + src/xml/repr-io.cpp | 8 +++++++- + 3 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h +index 32f4b7c..e4dd2c8 100644 +--- a/src/preferences-skeleton.h ++++ b/src/preferences-skeleton.h +@@ -315,6 +315,10 @@ static char const preferences_skeleton[] = + " clips=\"16711935\"" // 00ff00ff + " masks=\"65535\"/>\n" // 0x0000ffff + " <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n" ++" <group id=\"externalresources\">\n" ++" <group id=\"xml\" " ++" allow_net_access=\"0\"/>\n" ++" </group>\n" + " <group id=\"forkgradientvectors\" value=\"1\"/>\n" + " <group id=\"iconrender\" named_nodelay=\"0\"/>\n" + " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n" +diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp +index 2ae7d69..63c56f7 100644 +--- a/src/ui/dialog/ocaldialogs.cpp ++++ b/src/ui/dialog/ocaldialogs.cpp +@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback() + xmlDoc *doc = NULL; + xmlNode *root_element = NULL; + ++ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185 ++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false); ++ if (!allowNetAccess) { ++ parse_options |= XML_PARSE_NONET; ++ } ++ + doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback, +- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, +- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR); ++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options); + if (doc == NULL) { + sp_ui_error_dialog(_("Server supplied malformed Clip Art feed")); + g_warning("Failed to parse %s\n", uri.c_str()); +diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp +index fa5e9b6..088b505 100644 +--- a/src/xml/repr-io.cpp ++++ b/src/xml/repr-io.cpp +@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns) + XmlSource src; + + if ( (src.setFile(filename) == 0) ) { ++ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185 ++ Inkscape::Preferences *prefs = Inkscape::Preferences::get(); ++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false); ++ if (!allowNetAccess) { ++ parse_options |= XML_PARSE_NONET; ++ } + doc = xmlReadIO( XmlSource::readCb, + XmlSource::closeCb, + &src, + localFilename, + src.getEncoding(), +- XML_PARSE_NOENT ); ++ parse_options); + } + } + +-- +1.7.10.4 + diff --git a/debian/patches/series b/debian/patches/series index 08294b7..bd4ef57 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 01-fix-datamatrix-ui.dpatch 02-drop-pdf-ps.diff +03-CVE-2012-5656.diff -- 1.7.10.4
>From 9371b35a327ec7b7d5b2201e493ac1730094643d Mon Sep 17 00:00:00 2001 From: John Paul Adrian Glaubitz <[email protected]> Date: Sat, 29 Dec 2012 19:04:57 +0100 Subject: [PATCH 4/6] Update Debian changelog for 0.48.3.1-1.2. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index d1fdf41..8505588 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +inkscape (0.48.3.1-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485). + + -- John Paul Adrian Glaubitz <[email protected]> Mon, 24 Dec 2012 00:58:56 +0100 + inkscape (0.48.3.1-1.1) unstable; urgency=low * Non-maintainer upload. -- 1.7.10.4
>From 8cf685832e55916a8b2a3ddc3c984ecb12c5d238 Mon Sep 17 00:00:00 2001 From: John Paul Adrian Glaubitz <[email protected]> Date: Sat, 29 Dec 2012 19:14:56 +0100 Subject: [PATCH 5/6] Add patch to fix upstream vulnerability LP#911146. --- debian/patches/04-fix-LP911146.diff | 32 ++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 33 insertions(+) create mode 100644 debian/patches/04-fix-LP911146.diff diff --git a/debian/patches/04-fix-LP911146.diff b/debian/patches/04-fix-LP911146.diff new file mode 100644 index 0000000..8ef1286 --- /dev/null +++ b/debian/patches/04-fix-LP911146.diff @@ -0,0 +1,32 @@ +From: Michael Karcher <[email protected]> +Date: Sat, 29 Dec 2012 17:33:33 +0100 +Subject: Fix LP: #911146 relative filename vulnerability + +Ensures that filenames passed to extensions are made absolute before +changing the current working directory. +--- + src/extension/implementation/script.cpp | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/extension/implementation/script.cpp b/src/extension/implementation/script.cpp +index b78fbda..02c3aeb 100644 +--- a/src/extension/implementation/script.cpp ++++ b/src/extension/implementation/script.cpp +@@ -954,7 +954,14 @@ int Script::execute (const std::list<std::string> &in_command, + // assemble the rest of argv + std::copy(in_params.begin(), in_params.end(), std::back_inserter(argv)); + if (!filein.empty()) { +- argv.push_back(filein); ++ if(Glib::path_is_absolute(filein)) ++ argv.push_back(filein); ++ else { ++ std::vector<std::string> buildargs; ++ buildargs.push_back(Glib::get_current_dir()); ++ buildargs.push_back(filein); ++ argv.push_back(Glib::build_filename(buildargs)); ++ } + } + + int stdout_pipe, stderr_pipe; + +-- 1.7.10.4 diff --git a/debian/patches/series b/debian/patches/series index bd4ef57..d454438 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 01-fix-datamatrix-ui.dpatch 02-drop-pdf-ps.diff 03-CVE-2012-5656.diff +04-fix-LP911146.diff -- 1.7.10.4
>From 70d905765fd7e37c99b2e30cb4d9b95063578b74 Mon Sep 17 00:00:00 2001 From: John Paul Adrian Glaubitz <[email protected]> Date: Sat, 29 Dec 2012 19:18:17 +0100 Subject: [PATCH 6/6] Update Debian changelog for 0.48.3.1-1.3. --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 8505588..0b42ef4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +inkscape (0.48.3.1-1.3) unstable; urgency=low + + * Non-maintainer upload. + * Add Debian patch to fix relative filename vulnerability (Closes: #654341). + + -- John Paul Adrian Glaubitz <[email protected]> Sat, 29 Dec 2012 19:15:46 +0100 + inkscape (0.48.3.1-1.2) unstable; urgency=low * Non-maintainer upload. -- 1.7.10.4
