Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <[email protected]>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #787933,
regarding wheezy-pu: package pdf2djvu/0.7.12-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
787933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787933
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Hello Debian release,
I propose an update of pdf2djvu in Wheezy, 0.7.12-2+deb7u1.
The patch is a security fix of #784889, already applied in Sid
(closed by 0.7.21-1) and Jessie.
I've build with Sbuild against oldstable, please see the buildlog
here [2]. To prevent the execution of make distclean which fails
I've also just added an empty override for dh_auto_clean.
Please see the attached debdiff for details.
The security has been marked as no-dsa [3], therefore I would
like to upload it as proposed update.
Thanks,
Daniel Stender
[1] http://bugs.debian.org/784889
[2]
http://www.danielstender.com/buildlogs/pdf2djvu_0.7.12-2+deb7u1_amd64-20150606-1546.build
[3] https://security-tracker.debian.org/tracker/source-package/pdf2djvu
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pdf2djvu-0.7.12/debian/changelog pdf2djvu-0.7.12/debian/changelog
--- pdf2djvu-0.7.12/debian/changelog 2012-02-25 14:32:12.000000000 +0100
+++ pdf2djvu-0.7.12/debian/changelog 2015-06-06 15:38:16.000000000 +0200
@@ -1,3 +1,12 @@
+pdf2djvu (0.7.12-2+deb7u1) oldstable; urgency=medium
+
+ * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix
+ of no-dsa security issue (related bug #784889 closed by 0.7.21-1
+ in Sid).
+ * deb/rules: added empty override for dh_auto_clean.
+
+ -- Daniel Stender <[email protected]> Sat, 06 Jun 2015 15:37:38 +0200
+
pdf2djvu (0.7.12-2) unstable; urgency=low
* Add missing pkg-config build-dep (Closes: #661080)
diff -Nru pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff
--- pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 2015-06-06 15:27:39.000000000 +0200
@@ -0,0 +1,20 @@
+Description: fix for security issue
+ Prevents C44 to delete didjvu output file in /tmp or $TMPDIR
+ and create a new one during IW44 layer processing,
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <[email protected]>
+Origin: https://bitbucket.org/jwilk/pdf2djvu/commits/62c3c48098d6232f09ecabcf8d0176d42b714041
+Bug: https://bugs.debian.org/784889
+
+--- a/pdf2djvu.cc
++++ b/pdf2djvu.cc
+@@ -1537,7 +1537,8 @@
+ }
+ else if (nonwhite_background_color)
+ {
+- TemporaryFile c44_file;
++ TemporaryDirectory c44_dir;
++ TemporaryFile c44_file(c44_dir, "bg.djvu");
+ c44_file.close();
+ { /* Create solid-color PPM image with subsample ratio 12: */
+ TemporaryFile ppm_file;
diff -Nru pdf2djvu-0.7.12/debian/patches/series pdf2djvu-0.7.12/debian/patches/series
--- pdf2djvu-0.7.12/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.12/debian/patches/series 2015-06-06 15:22:54.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-executing-c44.diff
diff -Nru pdf2djvu-0.7.12/debian/rules pdf2djvu-0.7.12/debian/rules
--- pdf2djvu-0.7.12/debian/rules 2012-02-25 14:02:40.000000000 +0100
+++ pdf2djvu-0.7.12/debian/rules 2015-06-06 15:37:35.000000000 +0200
@@ -22,6 +22,8 @@
clean:
dh clean
+override_dh_auto_clean:
+
.PHONY: install
install: install-stamp
install-stamp: build-stamp
--- End Message ---
--- Begin Message ---
Version: 7.9
Hi,
These bugs relate to updates which were included in the 7.9 point
release.
Regards,
Adam
--- End Message ---
