Bug#611005: unblock: geda-gaf/1.6.1-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package geda-gaf
* Added disable_gnetlist-arg.diff patch, to fix arbitrary code execution.
(LP: #700194)
Debdiff against 1.6.1-4 is attached.
unblock geda-gaf/1.6.1-5
-- System Information:
Debian Release: squeeze/sid
APT prefers maverick-updates
APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick-backports'), (500, 'maverick')
Architecture: i386 (i686)
Kernel: Linux 2.6.35-25-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index 15bc1fb..4aa42e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+geda-gaf (1:1.6.1-5) unstable; urgency=low
+
+ * Added disable_gnetlist-arg.diff patch, to fix arbitrary code execution.
+ (LP: #700194)
+
+ -- أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@sabily.org> Mon, 24 Jan 2011 19:58:01 +0200
+
geda-gaf (1:1.6.1-4) unstable; urgency=low
* Added fix_string_exceptions.diff patch to fix string exceptions in
diff --git a/debian/patches/disable_gnetlist-arg.diff b/debian/patches/disable_gnetlist-arg.diff
new file mode 100644
index 0000000..452aad9
--- /dev/null
+++ b/debian/patches/disable_gnetlist-arg.diff
@@ -0,0 +1,44 @@
+Description: gsch2pcb: Don't allow `gnetlist-arg' in project file.
+Origin: http://git.gpleda.org/?p=gaf.git;a=commitdiff_plain;h=16b3d32fcf8458389a491aed9437be835131b4b9
+Author: Peter TB Brett <peter@peter-b.co.uk>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/geda-gaf/+bug/700194
+
+--- a/utils/src/gsch2pcb.c
++++ b/utils/src/gsch2pcb.c
+@@ -1253,9 +1253,6 @@
+ else if (!strcmp(config, "gnetlist"))
+ extra_gnetlist_list =
+ g_list_append(extra_gnetlist_list, g_strdup(arg));
+- else if (!strcmp(config, "gnetlist-arg"))
+- extra_gnetlist_arg_list =
+- g_list_append(extra_gnetlist_arg_list, g_strdup(arg));
+ else if (!strcmp(config, "empty-footprint"))
+ empty_footprint_name = g_strdup(arg);
+ else
+@@ -1370,10 +1367,10 @@
+ " --gnetlist backend A convenience run of extra gnetlist -g commands.\n"
+ " Example: gnetlist partslist3\n"
+ " Creates: myproject.partslist3\n"
+-" --gnetlist-arg arg Allows additional arguments to be passed to gnetlist.\n"
+ " --empty-footprint name See the project.sample file.\n"
+ "\n"
+ "options (not recognized in a project file):\n"
++" --gnetlist-arg arg Allows additional arguments to be passed to gnetlist.\n"
+ " --fix-elements If a schematic component footprint is not equal\n"
+ " to its PCB element Description, update the\n"
+ " Description instead of replacing the element.\n"
+@@ -1432,6 +1429,14 @@
+ fix_elements = TRUE;
+ continue;
+ }
++ else if (!strcmp(opt, "gnetlist-arg"))
++ {
++ extra_gnetlist_arg_list =
++ g_list_append(extra_gnetlist_arg_list,
++ g_strdup(arg));
++ i++;
++ continue;
++ }
+ else if (!strcmp(opt, "help") || !strcmp(opt, "h"))
+ usage();
+ else if ( i < argc
diff --git a/debian/patches/series b/debian/patches/series
index 561c79a..0e1a01a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ desktop.diff
manpage_typos.diff
sch2eaglepos_bashism.diff
fix_string_exceptions.diff
+disable_gnetlist-arg.diff
Reply to: