Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
Control: tags -1 + pending On Tue, 2016-10-25 at 18:49 +0200, Andrew Shadura wrote: > On 25/10/16 18:26, Adam D. Barratt wrote: > > On 2016-10-25 14:32, Andrew Shadura wrote: > >> On 25/10/16 15:31, Adam D. Barratt wrote: > >>> Control: tags -1 + confirmed > >>> > >>> On 2016-10-25 10:10, Andrew Shadura wrote: > I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, > CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, > CVE-2016-8700, > CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. [...] > Indeed, I uploaded a wrong .changes. Sorry for the noise, will re-upload > shortly. I've flagged that re-upload for acceptance; thanks. Regards, Adam
Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
Processing control commands: > tags -1 + pending Bug #842013 [release.debian.org] jessie-pu: package potrace/1.12-1+deb8u1 Added tag(s) pending. -- 842013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842013 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
On 25/10/16 18:26, Adam D. Barratt wrote: > On 2016-10-25 14:32, Andrew Shadura wrote: >> On 25/10/16 15:31, Adam D. Barratt wrote: >>> Control: tags -1 + confirmed >>> >>> On 2016-10-25 10:10, Andrew Shadura wrote: I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. Please find the attached debdiff. >>> >>> I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If >>> so, and assuming that the resulting package has been tested on stable, >>> please go ahead. >> >> Yes, it does. > > Unfortunately it appears that the uploaded package was not built in a > (purely) jessie environment, so I'm afraid that I've had to mark it to > be rejected. > > Automated binary debdiffs show: > > > Warning: these package names were in the second list but not in the first: > -- > libpotrace0-dbgsym > potrace-dbgsym > ... > Files only in first set of .debs, found in package libpotrace0 > -- > -rwxr-xr-x root/root DEBIAN/postinst > -rwxr-xr-x root/root DEBIAN/postrm > > New files in second set of .debs, found in package libpotrace0 > -- > -rw-r--r-- root/root DEBIAN/triggers > > > Those changes won't happen if jessie's debhelper was used for the build. > (The fact that dak didn't reject the package itself is a known issue > with the *-debug suite checks.) Indeed, I uploaded a wrong .changes. Sorry for the noise, will re-upload shortly. -- Cheers, Andrew
Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
On 2016-10-25 14:32, Andrew Shadura wrote: On 25/10/16 15:31, Adam D. Barratt wrote: Control: tags -1 + confirmed On 2016-10-25 10:10, Andrew Shadura wrote: I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. Please find the attached debdiff. I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If so, and assuming that the resulting package has been tested on stable, please go ahead. Yes, it does. Unfortunately it appears that the uploaded package was not built in a (purely) jessie environment, so I'm afraid that I've had to mark it to be rejected. Automated binary debdiffs show: Warning: these package names were in the second list but not in the first: -- libpotrace0-dbgsym potrace-dbgsym ... Files only in first set of .debs, found in package libpotrace0 -- -rwxr-xr-x root/root DEBIAN/postinst -rwxr-xr-x root/root DEBIAN/postrm New files in second set of .debs, found in package libpotrace0 -- -rw-r--r-- root/root DEBIAN/triggers Those changes won't happen if jessie's debhelper was used for the build. (The fact that dak didn't reject the package itself is a known issue with the *-debug suite checks.) Regards, Adam
Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
Control: tags -1 + confirmed On 2016-10-25 10:10, Andrew Shadura wrote: I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. Please find the attached debdiff. I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If so, and assuming that the resulting package has been tested on stable, please go ahead. Regards, Adam
Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
On 25/10/16 15:31, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2016-10-25 10:10, Andrew Shadura wrote: >> I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, >> CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, >> CVE-2016-8700, >> CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. >> >> Please find the attached debdiff. > > I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If > so, and assuming that the resulting package has been tested on stable, > please go ahead. Yes, it does. -- Cheers, Andrew
Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
Processing control commands: > tags -1 + confirmed Bug #842013 [release.debian.org] jessie-pu: package potrace/1.12-1+deb8u1 Added tag(s) confirmed. -- 842013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842013 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, CVE-2016-8703. Please find the attached debdiff. - -- Cheers, Andrew -BEGIN PGP SIGNATURE- iQExBAEBCAAbBQJYDyGDFBxhbmRyZXdzaEBkZWJpYW4ub3JnAAoJEJ1bI/kYT6UU dKUH/iQWfyPMdenlZQriv65nCzANS7qmg7Yav+06HuLIbH1MDxiQ5ZNVWuiYOjG2 ZYI90szkknb6936nx2QbMelC8oYZSbOTnMsxauR/3wTXjd71XhU4uPnNtsVgYglu ZlJ0tn3aWC2PW/ZxC6rHnsP5BOcin5PynMLLPxI/yZ36855gmedJuJxI27sEeXWx 6NU8wiEVuSnieBipy1Lim9G7TLPfe9GugabtYRLJAgDsbTQ8lxZFQWXe9loVZjB/ meZ1fB96f748KbBPCZW3W3CWDVHaavwCfpsh0XpiSb4B3uKc0q0UxVR21ZcG0/iR K66NT4jeZMM9thHDHXJVaZfIlS4= =y46j -END PGP SIGNATURE- diff -Nru potrace-1.12/debian/changelog potrace-1.12/debian/changelog --- potrace-1.12/debian/changelog 2015-04-12 14:15:25.0 +0200 +++ potrace-1.12/debian/changelog 2016-10-25 11:04:34.0 +0200 @@ -1,3 +1,13 @@ +potrace (1.12-1+deb8u1) jessie; urgency=high + + * Non-maintainer upload. + * Fix CVE-2016-8694, CVE-2016-8695, CVE-2016-8696, +CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, +CVE-2016-8700, CVE-2016-8701, CVE-2016-8702, +CVE-2016-8703. + + -- Andrew ShaduraTue, 25 Oct 2016 11:04:34 +0200 + potrace (1.12-1) unstable; urgency=high * New upstream version. diff -Nru potrace-1.12/debian/patches/CVE-2016-8694.patch potrace-1.12/debian/patches/CVE-2016-8694.patch --- potrace-1.12/debian/patches/CVE-2016-8694.patch 1970-01-01 01:00:00.0 +0100 +++ potrace-1.12/debian/patches/CVE-2016-8694.patch 2016-10-25 11:04:08.0 +0200 @@ -0,0 +1,206 @@ +Author: Peter Selinger +Description: Fix CVE-2016-8694. +Origin: upstream + +--- a/src/bitmap.h b/src/bitmap.h +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + /* The bitmap type is defined in potracelib.h */ + #include "potracelib.h" +@@ -28,7 +29,7 @@ + /* macros for accessing pixel at index (x,y). U* macros omit the +bounds check. */ + +-#define bm_scanline(bm, y) ((bm)->map + (ssize_t)(y)*(ssize_t)(bm)->dy) ++#define bm_scanline(bm, y) ((bm)->map + (ptrdiff_t)(y)*(ptrdiff_t)(bm)->dy) + #define bm_index(bm, x, y) (_scanline(bm, y)[(x)/BM_WORDBITS]) + #define bm_mask(x) (BM_HIBIT >> ((x) & (BM_WORDBITS-1))) + #define bm_range(x, a) ((int)(x) >= 0 && (int)(x) < (a)) +@@ -57,10 +58,10 @@ + static inline potrace_bitmap_t *bm_new(int w, int h) { + potrace_bitmap_t *bm; + int dy = w == 0 ? 0 : (w - 1) / BM_WORDBITS + 1; +- ssize_t size = (ssize_t)dy * (ssize_t)h * (ssize_t)BM_WORDSIZE; ++ ptrdiff_t size = (ptrdiff_t)dy * (ptrdiff_t)h * (ptrdiff_t)BM_WORDSIZE; + + /* check for overflow error */ +- if (size < 0 || size / h / dy != BM_WORDSIZE) { ++ if (size < 0 || (h != 0 && dy != 0 && size / h / dy != BM_WORDSIZE)) { + errno = ENOMEM; + return NULL; + } +@@ -83,15 +84,15 @@ + /* clear the given bitmap. Set all bits to c. */ + static inline void bm_clear(potrace_bitmap_t *bm, int c) { + /* Note: if the bitmap was created with bm_new, then it is +- guaranteed that size will fit into the ssize_t type. */ +- ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE; ++ guaranteed that size will fit into the ptrdiff_t type. */ ++ ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE; + memset(bm->map, c ? -1 : 0, size); + } + + /* duplicate the given bitmap. Return NULL on error with errno set. */ + static inline potrace_bitmap_t *bm_dup(const potrace_bitmap_t *bm) { + potrace_bitmap_t *bm1 = bm_new(bm->w, bm->h); +- ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE; ++ ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE; + if (!bm1) { + return NULL; + } +@@ -101,8 +102,8 @@ + + /* invert the given bitmap. */ + static inline void bm_invert(potrace_bitmap_t *bm) { +- ssize_t i; +- ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h; ++ ptrdiff_t i; ++ ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h; + + for (i = 0; i < size; i++) { + bm->map[i] ^= BM_ALLBITS; +--- a/src/bitmap_io.c b/src/bitmap_io.c +@@ -4,7 +4,6 @@ + + + /* Routines for manipulating bitmaps, including reading pbm files. */ +- + #include + + #include "bitmap.h" +@@ -424,6 +423,9 @@ + /* correct y-coordinate for top-down format */ + #define ycorr(y) (bmpinfo.topdown ? bmpinfo.h-1-y : y) + ++/* safe colortable access */ ++#define COLTABLE(c) ((c) < bmpinfo.ncolors ? coltable[(c)] : 0) ++ + /* read BMP stream after magic number. Return values as for bm_read. +We choose to be as permissive as possible, since there are many +programs out there which produce BMP. For instance, ppmtobmp can +@@ -509,6 +511,10 @@ + goto