Bug#946417: RFS: giflib/5.1.9-1 [ITA] -- library for GIF images (utilities) - Fixes CVE's: #904114, #904113
Package: sponsorship-requests
Severity: normal
Dear mentors,
I am looking for a sponsor for my package "giflib"
* Package name : giflib
Version : 5.1.9-1
Upstream Author : https://sourceforge.net/p/giflib/discussion/
* URL : http://giflib.sourceforge.net/
* License : MIT
* Vcs : https://salsa.debian.org/deiv-guest/giflib
Section : libs
It builds those binary packages:
giflib-tools - library for GIF images (utilities)
libgif7 - library for GIF images (library)
libgif-dev - library for GIF images (development)
To access further information about this package, please visit the
following URL:
https://mentors.debian.net/package/giflib
Alternatively, one can download the package with dget using this command:
dget -x
https://mentors.debian.net/debian/pool/main/g/giflib/giflib_5.1.9-1.dsc
Changes since the last upload:
[ Ondřej Nový ]
* d/watch: Use https protocol.
[ Andreas Metzler ]
* AUTHORS file not shipped anymore, update debian/*.docs.
* Uses straight make instead of autotools, adapt debian/rules
accordingly.
* Use dh 12 compat level.
+ Update debian/copyright, add Format specifier.
[ David Suárez ]
* New upstream version:
- Add myself as maintainer; Closes: #834410.
- Fixes heap-based buffer overflow in DGifDecompressLine function.
CVE-2018-11490 sf#113; Closes: #904114
- Fixes MemorySanitizer: FPE on unknown address;
CVE-2019-15133 sf#119: Closes: #904113
* Acknowledges NMU's uploads.
* d/watch:
- Bump version.
- Don't run uupdate.
- Don't use debian redirector.
* d/patches:
- Drop '03-spelling_fixes.patch' and 'CVE-2016-3977.patch';
Applied upstream.
- Add 'install-only-distributed-binaries-manuals' patch.
- Add 'revert-GifQuantizeBuffer-remove-from-lib' patch.
* d/rules
- Don't force the rebuilding of manpages, the clean rule does the job.
- Remove the txt docs from giflib-tools; Not distributed.
- Remove 'dh_strip --dbgsym-migration'; Not needed anymore.
- Set DPKG_GENSYMBOLS_CHECK_LEVEL to 4.
* giflib-tools.manpages: point to the correct ones.
* d/control:
- Add 'Rules-Requires-Root' field.
- Update Standars version; no changes needed.
- Change VCS URL's.
* d/libgif7.symbols:
- Add 'Build-Depends-Package' field.
- Update symbols.
* d/copyright:
- Remove 'doc/gif87.txt'; Nows not distributed.
- Add myself on debian/* files.
- Add 'upstream-{Name,Contact}'.
* Wrap and sort.
* Add upstream metadata.
* Add lintian overrides for some giflib-tools manpages.
* Add lintian source override for sourceforge redirector.
* Drop libgif7.shlibs; not needed.
The package is not in latest upstream because is currently in a process
of removing a symbol, in the main library, that breaks some dependent
packages (exactimage, mplayer-gui, mplayer, qutemol and xplanet).
The current version just patch the library to revert the symbol remove,
to allow the upload without breaking anything (it fixes a pair of CVE's).
The next upload (the last upstream version) will go to experimental,
trying to ask upstream to install a missing library (libutil.so) that
contains the moved symbol (I will ask upstream to rename the library to
something more suitable, like libgifutil or so).
In the meanwhile there are some bugs open on each package to adapt to
the new upstream changes (currently we have the latest version on
experimental), so they get informed about the changes of the next
experimental upload when upstream gets the ABI stable.
Regards,
--
David
Reply to: