Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-28 Thread Adam D. Barratt 
Control: tags -1 + pending

On Tue, 2016-10-25 at 18:49 +0200, Andrew Shadura wrote:
> On 25/10/16 18:26, Adam D. Barratt wrote:
> > On 2016-10-25 14:32, Andrew Shadura wrote:
> >> On 25/10/16 15:31, Adam D. Barratt wrote:
> >>> Control: tags -1 + confirmed
> >>>
> >>> On 2016-10-25 10:10, Andrew Shadura wrote:
>  I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
>  CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
>  CVE-2016-8700,
>  CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.
[...]
> Indeed, I uploaded a wrong .changes. Sorry for the noise, will re-upload
> shortly.

I've flagged that re-upload for acceptance; thanks.

Regards,

Adam

Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-28 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #842013 [release.debian.org] jessie-pu: package potrace/1.12-1+deb8u1
Added tag(s) pending.

-- 
842013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842013
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-25 Thread Andrew Shadura 
On 25/10/16 18:26, Adam D. Barratt wrote:
> On 2016-10-25 14:32, Andrew Shadura wrote:
>> On 25/10/16 15:31, Adam D. Barratt wrote:
>>> Control: tags -1 + confirmed
>>>
>>> On 2016-10-25 10:10, Andrew Shadura wrote:
 I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
 CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
 CVE-2016-8700,
 CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.

 Please find the attached debdiff.
>>>
>>> I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If
>>> so, and assuming that the resulting package has been tested on stable,
>>> please go ahead.
>>
>> Yes, it does.
> 
> Unfortunately it appears that the uploaded package was not built in a
> (purely) jessie environment, so I'm afraid that I've had to mark it to
> be rejected.
> 
> Automated binary debdiffs show:
> 
> 
> Warning: these package names were in the second list but not in the first:
> --
> libpotrace0-dbgsym
> potrace-dbgsym
> ...
> Files only in first set of .debs, found in package libpotrace0
> --
> -rwxr-xr-x  root/root   DEBIAN/postinst
> -rwxr-xr-x  root/root   DEBIAN/postrm
> 
> New files in second set of .debs, found in package libpotrace0
> --
> -rw-r--r--  root/root   DEBIAN/triggers
> 
> 
> Those changes won't happen if jessie's debhelper was used for the build.
> (The fact that dak didn't reject the package itself is a known issue
> with the *-debug suite checks.)

Indeed, I uploaded a wrong .changes. Sorry for the noise, will re-upload
shortly.

-- 
Cheers,
  Andrew

Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-25 Thread Adam D. Barratt 

On 2016-10-25 14:32, Andrew Shadura wrote:

On 25/10/16 15:31, Adam D. Barratt wrote:

Control: tags -1 + confirmed

On 2016-10-25 10:10, Andrew Shadura wrote:

I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
CVE-2016-8700,
CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.

Please find the attached debdiff.


I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? 
If

so, and assuming that the resulting package has been tested on stable,
please go ahead.


Yes, it does.


Unfortunately it appears that the uploaded package was not built in a 
(purely) jessie environment, so I'm afraid that I've had to mark it to 
be rejected.


Automated binary debdiffs show:


Warning: these package names were in the second list but not in the 
first:

--
libpotrace0-dbgsym
potrace-dbgsym
...
Files only in first set of .debs, found in package libpotrace0
--
-rwxr-xr-x  root/root   DEBIAN/postinst
-rwxr-xr-x  root/root   DEBIAN/postrm

New files in second set of .debs, found in package libpotrace0
--
-rw-r--r--  root/root   DEBIAN/triggers


Those changes won't happen if jessie's debhelper was used for the build. 
(The fact that dak didn't reject the package itself is a known issue 
with the *-debug suite checks.)


Regards,

Adam

Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-25 Thread Adam D. Barratt 

Control: tags -1 + confirmed

On 2016-10-25 10:10, Andrew Shadura wrote:

I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, 
CVE-2016-8700,

CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.

Please find the attached debdiff.


I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If 
so, and assuming that the resulting package has been tested on stable, 
please go ahead.


Regards,

Adam

Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-25 Thread Andrew Shadura 
On 25/10/16 15:31, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On 2016-10-25 10:10, Andrew Shadura wrote:
>> I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
>> CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
>> CVE-2016-8700,
>> CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.
>>
>> Please find the attached debdiff.
> 
> I assume "CVE-2016-8694.patch" actually fixes all of the listed CVEs? If
> so, and assuming that the resulting package has been tested on stable,
> please go ahead.

Yes, it does.

-- 
Cheers,
  Andrew

Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-25 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #842013 [release.debian.org] jessie-pu: package potrace/1.12-1+deb8u1
Added tag(s) confirmed.

-- 
842013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842013
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

2016-10-25 Thread Andrew Shadura 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700,
CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.

Please find the attached debdiff.

- -- 
Cheers,
  Andrew

-BEGIN PGP SIGNATURE-

iQExBAEBCAAbBQJYDyGDFBxhbmRyZXdzaEBkZWJpYW4ub3JnAAoJEJ1bI/kYT6UU
dKUH/iQWfyPMdenlZQriv65nCzANS7qmg7Yav+06HuLIbH1MDxiQ5ZNVWuiYOjG2
ZYI90szkknb6936nx2QbMelC8oYZSbOTnMsxauR/3wTXjd71XhU4uPnNtsVgYglu
ZlJ0tn3aWC2PW/ZxC6rHnsP5BOcin5PynMLLPxI/yZ36855gmedJuJxI27sEeXWx
6NU8wiEVuSnieBipy1Lim9G7TLPfe9GugabtYRLJAgDsbTQ8lxZFQWXe9loVZjB/
meZ1fB96f748KbBPCZW3W3CWDVHaavwCfpsh0XpiSb4B3uKc0q0UxVR21ZcG0/iR
K66NT4jeZMM9thHDHXJVaZfIlS4=
=y46j
-END PGP SIGNATURE-
diff -Nru potrace-1.12/debian/changelog potrace-1.12/debian/changelog
--- potrace-1.12/debian/changelog	2015-04-12 14:15:25.0 +0200
+++ potrace-1.12/debian/changelog	2016-10-25 11:04:34.0 +0200
@@ -1,3 +1,13 @@
+potrace (1.12-1+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-8694, CVE-2016-8695, CVE-2016-8696,
+CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
+CVE-2016-8700, CVE-2016-8701, CVE-2016-8702,
+CVE-2016-8703.
+
+ -- Andrew Shadura   Tue, 25 Oct 2016 11:04:34 +0200
+
 potrace (1.12-1) unstable; urgency=high
 
   * New upstream version.
diff -Nru potrace-1.12/debian/patches/CVE-2016-8694.patch potrace-1.12/debian/patches/CVE-2016-8694.patch
--- potrace-1.12/debian/patches/CVE-2016-8694.patch	1970-01-01 01:00:00.0 +0100
+++ potrace-1.12/debian/patches/CVE-2016-8694.patch	2016-10-25 11:04:08.0 +0200
@@ -0,0 +1,206 @@
+Author: Peter Selinger 
+Description: Fix CVE-2016-8694.
+Origin: upstream
+
+--- a/src/bitmap.h
 b/src/bitmap.h
+@@ -8,6 +8,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ /* The bitmap type is defined in potracelib.h */
+ #include "potracelib.h"
+@@ -28,7 +29,7 @@
+ /* macros for accessing pixel at index (x,y). U* macros omit the
+bounds check. */
+ 
+-#define bm_scanline(bm, y) ((bm)->map + (ssize_t)(y)*(ssize_t)(bm)->dy)
++#define bm_scanline(bm, y) ((bm)->map + (ptrdiff_t)(y)*(ptrdiff_t)(bm)->dy)
+ #define bm_index(bm, x, y) (_scanline(bm, y)[(x)/BM_WORDBITS])
+ #define bm_mask(x) (BM_HIBIT >> ((x) & (BM_WORDBITS-1)))
+ #define bm_range(x, a) ((int)(x) >= 0 && (int)(x) < (a))
+@@ -57,10 +58,10 @@
+ static inline potrace_bitmap_t *bm_new(int w, int h) {
+   potrace_bitmap_t *bm;
+   int dy = w == 0 ? 0 : (w - 1) / BM_WORDBITS + 1;
+-  ssize_t size = (ssize_t)dy * (ssize_t)h * (ssize_t)BM_WORDSIZE;
++  ptrdiff_t size = (ptrdiff_t)dy * (ptrdiff_t)h * (ptrdiff_t)BM_WORDSIZE;
+ 
+   /* check for overflow error */
+-  if (size < 0 || size / h / dy != BM_WORDSIZE) {
++  if (size < 0 || (h != 0 && dy != 0 && size / h / dy != BM_WORDSIZE)) {
+ errno = ENOMEM;
+ return NULL;
+   }
+@@ -83,15 +84,15 @@
+ /* clear the given bitmap. Set all bits to c. */
+ static inline void bm_clear(potrace_bitmap_t *bm, int c) {
+   /* Note: if the bitmap was created with bm_new, then it is
+- guaranteed that size will fit into the ssize_t type. */
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++ guaranteed that size will fit into the ptrdiff_t type. */
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+   memset(bm->map, c ? -1 : 0, size);
+ }
+ 
+ /* duplicate the given bitmap. Return NULL on error with errno set. */
+ static inline potrace_bitmap_t *bm_dup(const potrace_bitmap_t *bm) {
+   potrace_bitmap_t *bm1 = bm_new(bm->w, bm->h);
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+   if (!bm1) {
+ return NULL;
+   }
+@@ -101,8 +102,8 @@
+ 
+ /* invert the given bitmap. */
+ static inline void bm_invert(potrace_bitmap_t *bm) {
+-  ssize_t i;
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h;
++  ptrdiff_t i;
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h;
+ 
+   for (i = 0; i < size; i++) {
+ bm->map[i] ^= BM_ALLBITS;
+--- a/src/bitmap_io.c
 b/src/bitmap_io.c
+@@ -4,7 +4,6 @@
+ 
+ 
+ /* Routines for manipulating bitmaps, including reading pbm files. */
+-
+ #include 
+ 
+ #include "bitmap.h"
+@@ -424,6 +423,9 @@
+ /* correct y-coordinate for top-down format */
+ #define ycorr(y) (bmpinfo.topdown ? bmpinfo.h-1-y : y)
+ 
++/* safe colortable access */
++#define COLTABLE(c) ((c) < bmpinfo.ncolors ? coltable[(c)] : 0)
++
+ /* read BMP stream after magic number. Return values as for bm_read.
+We choose to be as permissive as possible, since there are many
+programs out there which produce BMP. For instance, ppmtobmp can
+@@ -509,6 +511,10 @@
+ goto