Hi! On Wed, 12 Nov 2008 07:26:36 +0100 Luk Claes <luk@debian.org> wrote: > Nelson A. de Oliveira wrote: > > So do I have a pre-approval to upload it to unstable, including > > only a patch to fix SA32651, please? > > Yes. OK. ==================== debdiff: diff -urN optipng-0.6.1/debian/changelog optipng-0.6.1.1/debian/changelog --- optipng-0.6.1/debian/changelog 2008-11-12 08:57:07.000000000 -0200 +++ optipng-0.6.1.1/debian/changelog 2008-11-12 08:50:01.000000000 -0200 @@ -1,3 +1,13 @@ +optipng (0.6.1.1-1) unstable; urgency=high + + * New upstream release (kindly provided by Cosmin Truţa, fixing only + the security issue found in version 0.6.1): + - fix array overflow in the BMP reader (Closes: #505399). This is Secunia + Advisory SA32651. + * Fix broken link /usr/share/doc/optipng/changelog.gz. + + -- Nelson A. de Oliveira <naoliv@debian.org> Wed, 12 Nov 2008 08:40:50 -0200 + optipng (0.6.1-2) unstable; urgency=low * Update debian/copyright. diff -urN optipng-0.6.1/debian/links optipng-0.6.1.1/debian/links --- optipng-0.6.1/debian/links 2008-11-12 08:57:07.000000000 -0200 +++ optipng-0.6.1.1/debian/links 2008-11-12 08:43:46.000000000 -0200 @@ -1 +1 @@ -usr/share/doc/optipng/HISTORY.txt.gz usr/share/doc/optipng/changelog.gz +usr/share/doc/optipng/history.txt.gz usr/share/doc/optipng/changelog.gz diff -urN optipng-0.6.1/debian/README.source optipng-0.6.1.1/debian/README.source --- optipng-0.6.1/debian/README.source 2008-11-12 08:57:07.000000000 -0200 +++ optipng-0.6.1.1/debian/README.source 2008-11-12 08:49:57.000000000 -0200 @@ -1,4 +1,4 @@ -optipng_0.6.0.orig.tar.gz is a stripped version of the original OptiPNG. +optipng_0.6.1.1.orig.tar.gz is a stripped version of the original OptiPNG. The following dirs and files were removed: lib/lib_diff/ @@ -15,4 +15,8 @@ src/scripts/visualc.mak src/xtra/ -Nelson A. de Oliveira <naoliv@debian.org> Fri, 20 Jun 2008 00:43:42 -0300 +Note that his package is version 0.6.1 plus the patch optipng-0.6.1.1.diff +provided by the upstream author, Cosmin Truţa. This patch fixes an array +overflow in the BMP reader (Secunia Advisory SA32651). + +Nelson A. de Oliveira <naoliv@debian.org> Wed, 12 Nov 2008 08:40:50 -0200 ==================== ==================== debdiff (it shows only a minor fix for a broken link): debdiff optipng_0.6.1-2_i386.deb optipng_0.6.1.1-1_i386.deb [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first ------------------------------------- lrwxrwxrwx root/root /usr/share/doc/optipng/changelog.gz -> history.txt.gz Files in first .deb but not in second ------------------------------------- lrwxrwxrwx root/root /usr/share/doc/optipng/changelog.gz -> HISTORY.txt.gz Control files: lines which differ (wdiff format) ------------------------------------------------ Version: [-0.6.1-2-] {+0.6.1.1-1+} ==================== Patch provided by upstream is available at http://people.debian.org/~naoliv/misc/optipng-0.6.1.1.diff.txt lib/pngxtern/pngx.h | 22 ++++++++++++--- lib/pngxtern/pngxio.c | 26 ++++++++++-------- lib/pngxtern/pngxmem.c | 41 +++++++++++++++++++++-------- lib/pngxtern/pngxrbmp.c | 67 +++++++++++++++++++++++++----------------------- src/proginfo.h | 2 - 5 files changed, 99 insertions(+), 59 deletions(-) Since there are some modified comments inside the patch, it may look bigger than it really is. Green light to upload it? :-) Thank you! Best regards, Nelson
Attachment:
signature.asc
Description: PGP signature