--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package didjvu/0.2.3-2
- From: Daniel Stender <debian@danielstender.com>
- Date: Sat, 06 Jun 2015 19:54:56 +0200
- Message-id: <20150606175456.17657.68745.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hello release team,
I'm propose an update of didjvu in wheezy, 0.2.3-2+deb7u1.
The patch is a security fix of #784888 [1] in oldstable, applied
already upstream in sid (closed by 0.4-1), and for 0.2.8-1+deb8u1.
Please see the attached debdiff for details.
I've build the package with Sbuild against wheezy, the buildlog is here [2].
The security team marked this as minor/non-dsa, thus I would upload
this at proposed update.
Thanks,
Daniel Stender
[1] https://bugs.debian.org/784888
[2] http://www.danielstender.com/buildlogs/didjvu_0.2.3-2+deb7u1_amd64-20150606-1848.build
[3] https://security-tracker.debian.org/tracker/source-package/didjvu
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru didjvu-0.2.3/debian/changelog didjvu-0.2.3/debian/changelog
--- didjvu-0.2.3/debian/changelog 2012-02-25 19:01:15.000000000 +0100
+++ didjvu-0.2.3/debian/changelog 2015-06-06 18:41:38.000000000 +0200
@@ -1,3 +1,10 @@
+didjvu (0.2.3-2+deb7u1) oldstable; urgency=medium
+
+ * add fix-insecure-use-of-tmp-when-calling-c44.diff on security
+ bug #784888 (closed by 0.4-1 in sid).
+
+ -- Daniel Stender <debian@danielstender.com> Sat, 06 Jun 2015 18:41:01 +0200
+
didjvu (0.2.3-2) unstable; urgency=low
* Renamed and moved dep on xmp-toolkit from Depends to Suggests
diff -Nru didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff
--- didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 2015-06-06 18:05:22.000000000 +0200
@@ -0,0 +1,83 @@
+Description: fix of security related bug
+ Prevents C44 to delete didjvu output file in /tmp or $TMPDIR
+ and create a new one during IW44 layer processing,
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1
+Bug: https://bugs.debian.org/784888
+
+--- a/lib/djvu_extra.py
++++ b/lib/djvu_extra.py
+@@ -58,23 +58,23 @@
+
+ def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB_NORMAL):
+ ppm_file = temporary.file(suffix='.ppm')
+- temporaries = [ppm_file]
+ image.save(ppm_file.name)
+- djvu_file = temporary.file(suffix='.djvu', mode='r+b')
+- args = [
+- 'c44',
+- '-dpi', str(dpi),
+- '-slice', ','.join(map(str, slices)),
+- '-gamma', '%.1f' % gamma,
+- '-crcb%s' % _crcb_map[crcb],
+- ]
+- if mask_image is not None:
+- pbm_file = temporary.file(suffix='.pbm')
+- mask_image.save(pbm_file.name)
+- args += ['-mask', pbm_file.name]
+- temporaries += [pbm_file]
+- args += [ppm_file.name, djvu_file.name]
+- return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries)
++ with temporary.directory() as djvu_dir:
++ args = [
++ 'c44',
++ '-dpi', str(dpi),
++ '-slice', ','.join(map(str, slices)),
++ '-gamma', '%.1f' % gamma,
++ '-crcb%s' % _crcb_map[crcb],
++ ]
++ if mask_image is not None:
++ pbm_file = temporary.file(suffix='.pbm')
++ mask_image.save(pbm_file.name)
++ args += ['-mask', pbm_file.name]
++ djvu_path = os.path.join(djvu_dir, 'result.djvu')
++ args += [ppm_file.name, djvu_path]
++ ipc.Subprocess(args).wait()
++ return temporary.hardlink(djvu_path, suffix='.djvu')
+
+ def djvu_to_iw44(djvu_file):
+ # TODO: Use Multichunk.
+--- a/lib/temporary.py
++++ b/lib/temporary.py
+@@ -15,6 +15,7 @@
+
+ import contextlib
+ import functools
++import os
+ import shutil
+ import tempfile
+
+@@ -22,6 +23,14 @@
+ name = functools.partial(tempfile.mktemp, prefix='didjvu.')
+ wrapper = tempfile._TemporaryFileWrapper
+
++def hardlink(path, suffix='', prefix='didjvu.', dir=None):
++ new_path = name(suffix=suffix, prefix=prefix, dir=dir)
++ os.link(path, new_path)
++ return wrapper(
++ open(new_path, 'r+b'),
++ new_path
++ )
++
+ @contextlib.contextmanager
+ def directory(*args, **kwargs):
+ kwargs = dict(kwargs)
+@@ -32,6 +41,6 @@
+ finally:
+ shutil.rmtree(tmpdir)
+
+-__all__ = ['file', 'directory', 'name', 'wrapper']
++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper']
+
+ # vim:ts=4 sw=4 et
diff -Nru didjvu-0.2.3/debian/patches/series didjvu-0.2.3/debian/patches/series
--- didjvu-0.2.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.3/debian/patches/series 2015-06-06 17:36:38.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-calling-c44.diff
--- End Message ---