eog security update for Wheezy LTS
Hi,
I have prepared an update for eog in Wheezy.
Please see the diff to previous version attached. A practically
identical changeset has been added to the packaging repository
for a later jessie update.
Changes:
eog (3.4.2-1+build1+deb7u1) wheezy-security; urgency=medium
.
* Team Upload
* Make sure error messages are valid UTF8. This fixes out-of-bounds
write when passing invalid UTF-8 to GMarkup (CVE-2016-6855)
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
I plan uploading the package for wheezy-security tomorrow night.
Cheers,
Balint
diff -Nru eog-3.4.2/debian/changelog eog-3.4.2/debian/changelog
--- eog-3.4.2/debian/changelog 2012-08-05 21:00:27.000000000 +0200
+++ eog-3.4.2/debian/changelog 2016-08-27 21:42:59.000000000 +0200
@@ -1,3 +1,11 @@
+eog (3.4.2-1+build1+deb7u1) wheezy-security; urgency=medium
+
+ * Team Upload
+ * Make sure error messages are valid UTF8. This fixes out-of-bounds
+ write when passing invalid UTF-8 to GMarkup (CVE-2016-6855)
+
+ -- Balint Reczey <balint@balintreczey.hu> Sat, 27 Aug 2016 12:41:44 +0200
+
eog (3.4.2-1+build1) unstable; urgency=low
* No source changes; rebuild with xz compression.
diff -Nru eog-3.4.2/debian/control eog-3.4.2/debian/control
--- eog-3.4.2/debian/control 2012-08-05 21:04:24.000000000 +0200
+++ eog-3.4.2/debian/control 2016-08-27 21:45:35.000000000 +0200
@@ -2,7 +2,6 @@
#
# Modifications should be made to debian/control.in instead.
# This file is regenerated automatically in the clean target.
-
Source: eog
Section: gnome
Priority: optional
diff -Nru eog-3.4.2/debian/patches/0001-EogErrorMessageArea-Make-sure-error-messages-are-val.patch eog-3.4.2/debian/patches/0001-EogErrorMessageArea-Make-sure-error-messages-are-val.patch
--- eog-3.4.2/debian/patches/0001-EogErrorMessageArea-Make-sure-error-messages-are-val.patch 1970-01-01 01:00:00.000000000 +0100
+++ eog-3.4.2/debian/patches/0001-EogErrorMessageArea-Make-sure-error-messages-are-val.patch 2016-08-27 12:41:17.000000000 +0200
@@ -0,0 +1,47 @@
+From e99a8c00f959652fe7c10e2fa5a3a7a5c25e6af4 Mon Sep 17 00:00:00 2001
+From: Felix Riemann <friemann@gnome.org>
+Date: Sun, 21 Aug 2016 15:56:46 +0200
+Subject: [PATCH] EogErrorMessageArea: Make sure error messages are valid UTF8
+
+GMarkup requires valid UTF8 input strings and would cause odd
+looking messages if given invalid input. This could also trigger an
+out-of-bounds write in glib before 2.44.1. Reported by kaslovdmitri.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=770143
+---
+ src/eog-error-message-area.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/eog-error-message-area.c b/src/eog-error-message-area.c
+index 22de7b1..938ba96 100644
+--- a/src/eog-error-message-area.c
++++ b/src/eog-error-message-area.c
+@@ -28,6 +28,7 @@
+
+ #include "eog-error-message-area.h"
+ #include "eog-image.h"
++#include "eog-util.h"
+
+ #include <glib.h>
+ #include <glib/gi18n.h>
+@@ -218,7 +219,7 @@ eog_image_load_error_message_area_new (const gchar *caption,
+ error_message = g_strdup_printf (_("Could not load image '%s'."),
+ pango_escaped_caption);
+
+- message_details = g_strdup (error->message);
++ message_details = eog_util_make_valid_utf8 (error->message);
+
+ message_area = create_error_message_area (error_message,
+ message_details,
+@@ -260,7 +261,7 @@ eog_image_save_error_message_area_new (const gchar *caption,
+ error_message = g_strdup_printf (_("Could not save image '%s'."),
+ pango_escaped_caption);
+
+- message_details = g_strdup (error->message);
++ message_details = eog_util_make_valid_utf8 (error->message);
+
+ message_area = create_error_message_area (error_message,
+ message_details,
+--
+2.1.4
+
diff -Nru eog-3.4.2/debian/patches/series eog-3.4.2/debian/patches/series
--- eog-3.4.2/debian/patches/series 2012-04-19 03:57:58.000000000 +0200
+++ eog-3.4.2/debian/patches/series 2016-08-27 12:41:34.000000000 +0200
@@ -0,0 +1 @@
+0001-EogErrorMessageArea-Make-sure-error-messages-are-val.patch
Reply to: