commit a2ps for openSUSE:Factory

h_root Wed, 02 Apr 2014 08:18:14 -0700

Hello community,

here is the log from the commit of package a2ps for openSUSE:Factory checked in 
at 2014-04-02 17:17:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/a2ps (Old)
 and      /work/SRC/openSUSE:Factory/.a2ps.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "a2ps"

Changes:
--------
--- /work/SRC/openSUSE:Factory/a2ps/a2ps.changes        2013-12-10 
17:41:52.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.a2ps.new/a2ps.changes   2014-04-02 
17:17:41.000000000 +0200
@@ -1,0 +2,6 @@
+Mon Mar 31 08:08:37 UTC 2014 - wer...@suse.de
+
+- Add patch CVE-2014-0466.diff to fix bnc#871097 - CVE-2014-0466:
+  fixps does not use -dSAFER
+
+-------------------------------------------------------------------

New:
----
  CVE-2014-0466.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ a2ps.spec ++++++
--- /var/tmp/diff_new_pack.eNus3Z/_old  2014-04-02 17:17:42.000000000 +0200
+++ /var/tmp/diff_new_pack.eNus3Z/_new  2014-04-02 17:17:42.000000000 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package a2ps
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -62,6 +62,8 @@
 Patch11:        a2ps-4.13-psgen.patch
 Patch12:        a2ps-4.13-gv-arguments.patch
 Patch13:        a2ps-4.13-linker.patch
+# PATCH-FIX-USTREAM Bug 871097 - CVE-2014-0466: a2ps: fixps does not use 
-dSAFER
+Patch14:        CVE-2014-0466.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -105,6 +107,7 @@
 %patch -P 11 -p 0 -b .psgen
 %patch -P 12 -p 1 -b .gvarg
 %patch -P 13 -p 0 -b .ldso
+%patch -P 14 -p 1 -b .cve140466
 %patch
 cp -f %SOURCE1 po/ko.po
 rename no nb po/no.*

++++++ CVE-2014-0466.diff ++++++
Description: CVE-2014-0466: fixps does not invoke gs with -dSAFER
 A malicious PostScript file could delete files with the privileges of
 the invoking user.
Origin: vendor
Bug-Debian: http://bugs.debian.org/742902
Author: Salvatore Bonaccorso <car...@debian.org>
Last-Update: 2014-03-28

--- a/contrib/fixps.in
+++ b/contrib/fixps.in
@@ -389,7 +389,7 @@
        eval "$command" ;;
       gs)
         $verbose "$program: making a full rewrite of the file ($gs)." >&2
-       $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f 
"$file" ;;
+       $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c 
save pop -f "$file" ;;
     esac
   )
 fi
--- a/contrib/fixps.m4
+++ b/contrib/fixps.m4
@@ -307,7 +307,7 @@
        eval "$command" ;;
       gs)
         $verbose "$program: making a full rewrite of the file ($gs)." >&2
-       $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f 
"$file" ;;
+       $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c 
save pop -f "$file" ;;
     esac
   )
 fi
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

commit a2ps for openSUSE:Factory

Reply via email to