Re: Bug#687300: ghostscript: Please enable xz compression on all binaries

[Cyril Brulebois <kibi@debian.org>]

tag 687274 pending
tag 687300 pending
thanks

Hi,

Bastien ROUCARIES <roucaries.bastien@gmail.com> (17/09/2012):
> If you  do a nmu they are a few rc bug with patch. Wil post you the
> list tomorrow.

I haven't received any news so I've decided to go ahead and fix the CVE
along with the xz compression. Please find attached the source debdiff
for my NMU.

Mraw,
KiBi.

diff -Nru ghostscript-9.05~dfsg/debian/changelog ghostscript-9.05~dfsg/debian/changelog
--- ghostscript-9.05~dfsg/debian/changelog	2012-05-24 20:02:46.000000000 +0200
+++ ghostscript-9.05~dfsg/debian/changelog	2012-09-22 01:22:02.000000000 +0200
@@ -1,3 +1,13 @@
+ghostscript (9.05~dfsg-6.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Apply security patch for CVE-2012-4405 (Closes: #687274): error out if
+    inputChan is strictly less than 1 in icmLut_read(), thanks to Nico
+    Golde for the pointers.
+  * Enable xz compression for all binaries (Closes: #687300).
+
+ -- Cyril Brulebois <kibi@debian.org>  Sat, 22 Sep 2012 01:18:12 +0200
+
 ghostscript (9.05~dfsg-6) unstable; urgency=low
 
   * Fix symlink to DroidSans.
diff -Nru ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch
--- ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch	1970-01-01 01:00:00.000000000 +0100
+++ ghostscript-9.05~dfsg/debian/patches/CVE-2012-4405.patch	2012-09-22 01:17:58.000000000 +0200
@@ -0,0 +1,14 @@
+--- a/icclib/icc.c
++++ b/icclib/icc.c
+@@ -4996,6 +4996,11 @@ static int icmLut_read(
+         p->clutPoints = read_UInt8Number(bp+10);
+ 
+         /* Sanity check */
++        if (p->inputChan < 1) {
++                sprintf(icp->err,"icmLut_read: No input channels!");
++                return icp->errc = 1;
++        }
++
+         if (p->inputChan > MAX_CHAN) {
+                 sprintf(icp->err,"icmLut_read: Can't handle > %d input channels\n",MAX_CHAN);
+                 return icp->errc = 1;
diff -Nru ghostscript-9.05~dfsg/debian/patches/series ghostscript-9.05~dfsg/debian/patches/series
--- ghostscript-9.05~dfsg/debian/patches/series	2012-05-24 18:57:49.000000000 +0200
+++ ghostscript-9.05~dfsg/debian/patches/series	2012-09-22 01:13:15.000000000 +0200
@@ -6,3 +6,4 @@
 2001_docdir_fix_for_debian.patch
 2002_gs_man_fix_debian.patch
 2003_support_multiarch.patch
+CVE-2012-4405.patch
diff -Nru ghostscript-9.05~dfsg/debian/rules ghostscript-9.05~dfsg/debian/rules
--- ghostscript-9.05~dfsg/debian/rules	2012-05-24 20:02:46.000000000 +0200
+++ ghostscript-9.05~dfsg/debian/rules	2012-09-22 01:22:34.000000000 +0200
@@ -17,6 +17,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+# Use xz compression:
+DEB_DH_BUILDDEB_ARGS ?= -u-Zxz
+
 # This needs to run before cdbs auto-update
 debian/control:: debian/control.in
 DEB_PHONY_RULES += debian/control.in

Attachment: signature.asc
Description: Digital signature