Hello community, here is the log from the commit of package a2ps for openSUSE:Factory checked in at 2014-04-02 17:17:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/a2ps (Old) and /work/SRC/openSUSE:Factory/.a2ps.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "a2ps" Changes: -------- --- /work/SRC/openSUSE:Factory/a2ps/a2ps.changes 2013-12-10 17:41:52.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.a2ps.new/a2ps.changes 2014-04-02 17:17:41.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Mar 31 08:08:37 UTC 2014 - wer...@suse.de + +- Add patch CVE-2014-0466.diff to fix bnc#871097 - CVE-2014-0466: + fixps does not use -dSAFER + +------------------------------------------------------------------- New: ---- CVE-2014-0466.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ a2ps.spec ++++++ --- /var/tmp/diff_new_pack.eNus3Z/_old 2014-04-02 17:17:42.000000000 +0200 +++ /var/tmp/diff_new_pack.eNus3Z/_new 2014-04-02 17:17:42.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package a2ps # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -62,6 +62,8 @@ Patch11: a2ps-4.13-psgen.patch Patch12: a2ps-4.13-gv-arguments.patch Patch13: a2ps-4.13-linker.patch +# PATCH-FIX-USTREAM Bug 871097 - CVE-2014-0466: a2ps: fixps does not use -dSAFER +Patch14: CVE-2014-0466.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -105,6 +107,7 @@ %patch -P 11 -p 0 -b .psgen %patch -P 12 -p 1 -b .gvarg %patch -P 13 -p 0 -b .ldso +%patch -P 14 -p 1 -b .cve140466 %patch cp -f %SOURCE1 po/ko.po rename no nb po/no.* ++++++ CVE-2014-0466.diff ++++++ Description: CVE-2014-0466: fixps does not invoke gs with -dSAFER A malicious PostScript file could delete files with the privileges of the invoking user. Origin: vendor Bug-Debian: http://bugs.debian.org/742902 Author: Salvatore Bonaccorso <car...@debian.org> Last-Update: 2014-03-28 --- a/contrib/fixps.in +++ b/contrib/fixps.in @@ -389,7 +389,7 @@ eval "$command" ;; gs) $verbose "$program: making a full rewrite of the file ($gs)." >&2 - $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; + $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; esac ) fi --- a/contrib/fixps.m4 +++ b/contrib/fixps.m4 @@ -307,7 +307,7 @@ eval "$command" ;; gs) $verbose "$program: making a full rewrite of the file ($gs)." >&2 - $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; + $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; esac ) fi -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org