[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Pre-approval for optipng

Hi!

On Wed, 12 Nov 2008 07:26:36 +0100
Luk Claes <luk@debian.org> wrote:

> Nelson A. de Oliveira wrote:
> > So do I have a pre-approval to upload it to unstable, including
> > only a patch to fix SA32651, please?
> 
> Yes.

OK.

====================
debdiff:

diff -urN optipng-0.6.1/debian/changelog optipng-0.6.1.1/debian/changelog
--- optipng-0.6.1/debian/changelog      2008-11-12 08:57:07.000000000 -0200
+++ optipng-0.6.1.1/debian/changelog    2008-11-12 08:50:01.000000000 -0200
@@ -1,3 +1,13 @@
+optipng (0.6.1.1-1) unstable; urgency=high
+
+  * New upstream release (kindly provided by Cosmin Truţa, fixing only
+    the security issue found in version 0.6.1):
+    - fix array overflow in the BMP reader (Closes: #505399). This is Secunia
+      Advisory SA32651.
+  * Fix broken link /usr/share/doc/optipng/changelog.gz.
+
+ -- Nelson A. de Oliveira <naoliv@debian.org>  Wed, 12 Nov 2008 08:40:50 -0200
+
 optipng (0.6.1-2) unstable; urgency=low

   * Update debian/copyright.
diff -urN optipng-0.6.1/debian/links optipng-0.6.1.1/debian/links
--- optipng-0.6.1/debian/links  2008-11-12 08:57:07.000000000 -0200
+++ optipng-0.6.1.1/debian/links        2008-11-12 08:43:46.000000000 -0200
@@ -1 +1 @@
-usr/share/doc/optipng/HISTORY.txt.gz usr/share/doc/optipng/changelog.gz
+usr/share/doc/optipng/history.txt.gz usr/share/doc/optipng/changelog.gz
diff -urN optipng-0.6.1/debian/README.source optipng-0.6.1.1/debian/README.source
--- optipng-0.6.1/debian/README.source  2008-11-12 08:57:07.000000000 -0200
+++ optipng-0.6.1.1/debian/README.source        2008-11-12 08:49:57.000000000 -0200
@@ -1,4 +1,4 @@
-optipng_0.6.0.orig.tar.gz is a stripped version of the original OptiPNG.
+optipng_0.6.1.1.orig.tar.gz is a stripped version of the original OptiPNG.
 The following dirs and files were removed:

 lib/lib_diff/
@@ -15,4 +15,8 @@
 src/scripts/visualc.mak
 src/xtra/

-Nelson A. de Oliveira <naoliv@debian.org>  Fri, 20 Jun 2008 00:43:42 -0300
+Note that his package is version 0.6.1 plus the patch optipng-0.6.1.1.diff
+provided by the upstream author, Cosmin Truţa. This patch fixes an array
+overflow in the BMP reader (Secunia Advisory SA32651).
+
+Nelson A. de Oliveira <naoliv@debian.org>  Wed, 12 Nov 2008 08:40:50 -0200
====================

====================
debdiff (it shows only a minor fix for a broken link):

debdiff optipng_0.6.1-2_i386.deb optipng_0.6.1.1-1_i386.deb
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
lrwxrwxrwx  root/root   /usr/share/doc/optipng/changelog.gz -> history.txt.gz

Files in first .deb but not in second
-------------------------------------
lrwxrwxrwx  root/root   /usr/share/doc/optipng/changelog.gz -> HISTORY.txt.gz

Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-0.6.1-2-] {+0.6.1.1-1+}
====================

Patch provided by upstream is available at
http://people.debian.org/~naoliv/misc/optipng-0.6.1.1.diff.txt

 lib/pngxtern/pngx.h     |   22 ++++++++++++---
 lib/pngxtern/pngxio.c   |   26 ++++++++++--------
 lib/pngxtern/pngxmem.c  |   41 +++++++++++++++++++++--------
 lib/pngxtern/pngxrbmp.c |   67 +++++++++++++++++++++++++-----------------------
 src/proginfo.h          |    2 -
 5 files changed, 99 insertions(+), 59 deletions(-)

Since there are some modified comments inside the patch, it may look bigger
than it really is.

Green light to upload it? :-)

Thank you!

Best regards,
Nelson

Attachment: signature.asc
Description: PGP signature

Reply to: