On 14.05.2015 05:09, Salvatore Bonaccorso wrote: > Hi Daniel > > (Disclaimer, not part of the release team, just giving a comment on > the changelog entry): > > On Wed, May 13, 2015 at 10:53:22PM +0200, Daniel Stender wrote: >> + * add fix-insecure-use-of-tmp-when-calling-c44.diff, fix >> + of security issue TEMP-0784889-495CCA, see #784888 (closed >> + in Sid by 0.4-1). > > Do not use these temporary items since they can change over time (e.g. > when a CVE is assigned they do not exist anymore, or even if we change > some metadata in the security-tracker. So I suggest to just write an > expalanation what the issue is, or -- if a CVE is assigned -- include > the CVE id. > > And you can "Close: #784888" as well, since there is a bug to track > that issue. > > HTH, > > Regards, > Salvatore
Yes, that's better. The CVE request is still pending [1], I'll add this to the bug then as soon as it's available. A fresh debdiff attached, I've extracted the temporary refs and added info about what the patch is for. DS [1] http://www.openwall.com/lists/oss-security/2015/05/09/7 -- http://qa.debian.org/developer.php?login=debian%40danielstender.com 4096R/DF5182C8 46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
diff -Nru didjvu-0.2.8/debian/changelog didjvu-0.2.8/debian/changelog --- didjvu-0.2.8/debian/changelog 2014-06-19 11:18:11.000000000 +0200 +++ didjvu-0.2.8/debian/changelog 2015-05-14 11:32:09.000000000 +0200 @@ -1,3 +1,10 @@ +didjvu (0.2.8-1+deb8u1) stable; urgency=medium + + * add fix-insecure-use-of-tmp-when-calling-c44.diff on security + issue (Closes: #784888). + + -- Daniel Stender <[email protected]> Thu, 14 May 2015 11:32:04 +0200 + didjvu (0.2.8-1) unstable; urgency=low * New upstream release (Closes: #743677). diff -Nru didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff --- didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 1970-01-01 01:00:00.000000000 +0100 +++ didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 2015-05-14 10:46:16.000000000 +0200 @@ -0,0 +1,85 @@ +Description: fix of security related bug + Prevents C44 to delete didjvu output file in /tmp or $TMPDIR + and create a new one during IW44 layer processing, + CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7 +Author: Daniel Stender <[email protected]> +Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1 +Bug: https://bugs.debian.org/784888 + +--- a/lib/djvu_extra.py ++++ b/lib/djvu_extra.py +@@ -76,25 +76,25 @@ + + def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB.normal): + ppm_file = temporary.file(suffix='.ppm') +- temporaries = [ppm_file] + image.save(ppm_file.name) +- djvu_file = temporary.file(suffix='.djvu', mode='r+b') + if not isinstance(crcb, Crcb): + raise TypeError +- args = [ +- 'c44', +- '-dpi', str(dpi), +- '-slice', ','.join(map(str, slices)), +- '-gamma', '%.1f' % gamma, +- '-crcb%s' % crcb, +- ] +- if mask_image is not None: +- pbm_file = temporary.file(suffix='.pbm') +- mask_image.save(pbm_file.name) +- args += ['-mask', pbm_file.name] +- temporaries += [pbm_file] +- args += [ppm_file.name, djvu_file.name] +- return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries) ++ with temporary.directory() as djvu_dir: ++ args = [ ++ 'c44', ++ '-dpi', str(dpi), ++ '-slice', ','.join(map(str, slices)), ++ '-gamma', '%.1f' % gamma, ++ '-crcb%s' % crcb, ++ ] ++ if mask_image is not None: ++ pbm_file = temporary.file(suffix='.pbm') ++ mask_image.save(pbm_file.name) ++ args += ['-mask', pbm_file.name] ++ djvu_path = os.path.join(djvu_dir, 'result.djvu') ++ args += [ppm_file.name, djvu_path] ++ ipc.Subprocess(args).wait() ++ return temporary.hardlink(djvu_path, suffix='.djvu') + + def djvu_to_iw44(djvu_file): + # TODO: Use Multichunk. +--- a/lib/temporary.py ++++ b/lib/temporary.py +@@ -15,6 +15,7 @@ + + import contextlib + import functools ++import os + import shutil + import tempfile + +@@ -22,6 +23,14 @@ + name = functools.partial(tempfile.mktemp, prefix='didjvu.') + wrapper = tempfile._TemporaryFileWrapper + ++def hardlink(path, suffix='', prefix='didjvu.', dir=None): ++ new_path = name(suffix=suffix, prefix=prefix, dir=dir) ++ os.link(path, new_path) ++ return wrapper( ++ open(new_path, 'r+b'), ++ new_path ++ ) ++ + @contextlib.contextmanager + def directory(*args, **kwargs): + kwargs = dict(kwargs) +@@ -32,6 +41,6 @@ + finally: + shutil.rmtree(tmpdir) + +-__all__ = ['file', 'directory', 'name', 'wrapper'] ++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper'] + + # vim:ts=4 sw=4 et diff -Nru didjvu-0.2.8/debian/patches/series didjvu-0.2.8/debian/patches/series --- didjvu-0.2.8/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ didjvu-0.2.8/debian/patches/series 2015-05-13 21:01:42.000000000 +0200 @@ -0,0 +1 @@ +fix-insecure-use-of-tmp-when-calling-c44.diff
