tag 687274 pending tag 687300 pending thanks Hi, Bastien ROUCARIES <roucaries.bastien@gmail.com> (17/09/2012): > If you do a nmu they are a few rc bug with patch. Wil post you the > list tomorrow. I haven't received any news so I've decided to go ahead and fix the CVE along with the xz compression. Please find attached the source debdiff for my NMU. Mraw, KiBi.
diff -Nru ghostscript-9.05~dfsg/debian/changelog ghostscript-9.05~dfsg/debian/changelog --- ghostscript-9.05~dfsg/debian/changelog 2012-05-24 20:02:46.000000000 +0200 +++ ghostscript-9.05~dfsg/debian/changelog 2012-09-22 01:22:02.000000000 +0200 @@ -1,3 +1,13 @@ +ghostscript (9.05~dfsg-6.1) unstable; urgency=high + + * Non-maintainer upload. + * Apply security patch for CVE-2012-4405 (Closes: #687274): error out if + inputChan is strictly less than 1 in icmLut_read(), thanks to Nico + Golde for the pointers. + * Enable xz compression for all binaries (Closes: #687300). + + -- Cyril Brulebois <kibi@debian.org> Sat, 22 Sep 2012 01:18:12 +0200 + ghostscript (9.05~dfsg-6) unstable; urgency=low * Fix symlink to DroidSans. diff -Nru ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch --- ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch 1970-01-01 01:00:00.000000000 +0100 +++ ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch 2012-09-22 01:17:58.000000000 +0200 @@ -0,0 +1,14 @@ +--- a/icclib/icc.c ++++ b/icclib/icc.c +@@ -4996,6 +4996,11 @@ static int icmLut_read( + p->clutPoints = read_UInt8Number(bp+10); + + /* Sanity check */ ++ if (p->inputChan < 1) { ++ sprintf(icp->err,"icmLut_read: No input channels!"); ++ return icp->errc = 1; ++ } ++ + if (p->inputChan > MAX_CHAN) { + sprintf(icp->err,"icmLut_read: Can't handle > %d input channels\n",MAX_CHAN); + return icp->errc = 1; diff -Nru ghostscript-9.05~dfsg/debian/patches/series ghostscript-9.05~dfsg/debian/patches/series --- ghostscript-9.05~dfsg/debian/patches/series 2012-05-24 18:57:49.000000000 +0200 +++ ghostscript-9.05~dfsg/debian/patches/series 2012-09-22 01:13:15.000000000 +0200 @@ -6,3 +6,4 @@ 2001_docdir_fix_for_debian.patch 2002_gs_man_fix_debian.patch 2003_support_multiarch.patch +CVE-2012-4405.patch diff -Nru ghostscript-9.05~dfsg/debian/rules ghostscript-9.05~dfsg/debian/rules --- ghostscript-9.05~dfsg/debian/rules 2012-05-24 20:02:46.000000000 +0200 +++ ghostscript-9.05~dfsg/debian/rules 2012-09-22 01:22:34.000000000 +0200 @@ -17,6 +17,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. +# Use xz compression: +DEB_DH_BUILDDEB_ARGS ?= -u-Zxz + # This needs to run before cdbs auto-update debian/control:: debian/control.in DEB_PHONY_RULES += debian/control.in
Attachment:
signature.asc
Description: Digital signature