Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libgtk2-perl The only change it contains is a security fix cherry-picked from upstream, and the corresponding test case. I'm in the process of convincing them to ask a CVE, and of preparing a security upload for Wheezy. unblock libgtk2-perl/1.2492-4 Thanks!
diff -Nru libgtk2-perl-1.2492/debian/changelog libgtk2-perl-1.2492/debian/changelog --- libgtk2-perl-1.2492/debian/changelog 2014-08-29 23:46:41.000000000 +0200 +++ libgtk2-perl-1.2492/debian/changelog 2015-02-18 19:53:25.000000000 +0100 @@ -1,3 +1,10 @@ +libgtk2-perl (2:1.2492-4) unstable; urgency=high + + * Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch: + new patch, cherry-picked from upstream, that fixes a security issue. + + -- intrigeri <intrig...@debian.org> Wed, 18 Feb 2015 19:45:09 +0100 + libgtk2-perl (2:1.2492-3) unstable; urgency=medium [ Salvatore Bonaccorso ] diff -Nru libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch --- libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch 2015-02-18 19:53:25.000000000 +0100 @@ -0,0 +1,47 @@ +From: Torsten Schönfeld <kaffeeti...@gmx.de> +Date: Sat, 17 Jan 2015 14:59:24 +0100 +Origin: https://git.gnome.org/browse/perl-Gtk2/commit/?id=4856da628ce37099b27b66a88141dc6daad693b0 +Applied-Upstream: 1.2495 +Subject: Fix incorrect memory management in Gtk2::Gdk::Display::list_devices + +We do not own the returned list. +--- + t/GdkDisplay.t | 4 +++- + xs/GdkDisplay.xs | 2 -- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/t/GdkDisplay.t b/t/GdkDisplay.t +index d290446..f4aef59 100644 +--- a/t/GdkDisplay.t ++++ b/t/GdkDisplay.t +@@ -1,7 +1,7 @@ + #!/usr/bin/perl -w + use strict; + use Gtk2::TestHelper +- tests => 26, ++ tests => 27, + at_least_version => [2, 2, 0, "GdkDisplay is new in 2.2"]; + + # $Id$ +@@ -32,6 +32,8 @@ ok(!$display -> pointer_is_grabbed()); + # $display -> beep(); + $display -> sync(); + ++# Do this twice to ensure we did not damage the list. ++isa_ok(($display -> list_devices())[0], "Gtk2::Gdk::Device"); + isa_ok(($display -> list_devices())[0], "Gtk2::Gdk::Device"); + + $display -> put_event(Gtk2::Gdk::Event -> new("button-press")); +diff --git a/xs/GdkDisplay.xs b/xs/GdkDisplay.xs +index f558f1d..a019eee 100644 +--- a/xs/GdkDisplay.xs ++++ b/xs/GdkDisplay.xs +@@ -69,8 +69,6 @@ gdk_display_list_devices (display) + devices = gdk_display_list_devices (display); + for (i = devices ; i != NULL ; i = i->next) + XPUSHs (sv_2mortal (newSVGdkDevice (i->data))); +- g_list_free (devices); +- + + GdkEvent* gdk_display_get_event (GdkDisplay *display) + diff -Nru libgtk2-perl-1.2492/debian/patches/series libgtk2-perl-1.2492/debian/patches/series --- libgtk2-perl-1.2492/debian/patches/series 2014-08-29 23:46:41.000000000 +0200 +++ libgtk2-perl-1.2492/debian/patches/series 2015-02-18 19:53:25.000000000 +0100 @@ -1,3 +1,4 @@ Make_t_GtkCellRenderer.t_more_robust.patch 30-disable_libgtk_version_check.patch fix-typo.patch +Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch