On Fri, 2015-02-27 at 03:17 +0000, Ben Hutchings wrote:
> On Mon, 2015-02-23 at 18:38 +0100, Didier 'OdyX' Raboud wrote:
> > Hi,
> >
> > Le lundi, 23 février 2015, 11.58:33 Raphael Hertzog a écrit :
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of your package:
> > > https://security-tracker.debian.org/tracker/CVE-2014-9679
> > >
> > > Would you like to take care of this yourself?
> > >
> > > If yes, please follow the workflow we have defined here:
> > > http://wiki.debian.org/LTS/Development
> >
> > I will, but keep in mind that we're still discussing the Wheezy patch
> > with the security team, so I'd like to get that fixed too (ideally
> > first).
> >
> > That said, the part from the upstream patch that we're discussing
> > doesn't apply to Squeeze(-LTS), so we might as well upload the patch as-
> > is.
> >
> > Proposed debdiff attached.
>
> This does not fix the bug!
I cherry-picked git commit 6c087a72a0708bcb7929955c75770ee364755c42
("Add some range checking (probably more to come) to avoid divide-by-0
errors."), after which the critical hunk of the patch for CVE-2014-9679
applied cleanly. With Didier's original patch,
zcat bogus.raster.gz | rastertohp foo bar baz 1 ''
still crashes (segmentation fault). With the two patches applied, it
fails cleanly (no pages found). I was still able to print a test page
(though I'm not certain that this uses the raster filter code in my
configuration).
So I've uploaded with those two patches applied.
Ben.
--
Ben Hutchings
It is easier to write an incorrect program than to understand a correct one.
Attachment:
signature.asc
Description: This is a digitally signed message part