Bug#611005: marked as done (unblock: geda-gaf/1.6.1-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 24 Jan 2011 22:46:52 +0100
with message-id <20110124214652.GQ30701@radis.liafa.jussieu.fr>
and subject line Re: Bug#611005: unblock: geda-gaf/1.6.1-5
has caused the Debian Bug report #611005,
regarding unblock: geda-gaf/1.6.1-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
611005: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611005
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: geda-gaf/1.6.1-5
• From: أحمد المحمودي <aelmahmoudy@sabily.org>
• Date: Mon, 24 Jan 2011 21:47:01 +0200
• Message-id: <[🔎] 20110124194701.8753.98150.reportbug@localhost6.localdomain6>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock


Please unblock package geda-gaf

  * Added disable_gnetlist-arg.diff patch, to fix arbitrary code execution.
    (LP: #700194)

  Debdiff against 1.6.1-4 is attached.

unblock geda-gaf/1.6.1-5

-- System Information:
Debian Release: squeeze/sid
  APT prefers maverick-updates
  APT policy: (500, 'maverick-updates'), (500, 'maverick-security'), (500, 'maverick-proposed'), (500, 'maverick-backports'), (500, 'maverick')
Architecture: i386 (i686)

Kernel: Linux 2.6.35-25-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff --git a/debian/changelog b/debian/changelog
index 15bc1fb..4aa42e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+geda-gaf (1:1.6.1-5) unstable; urgency=low
+
+  * Added disable_gnetlist-arg.diff patch, to fix arbitrary code execution.
+    (LP: #700194)
+
+ -- أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmoudy@sabily.org>  Mon, 24 Jan 2011 19:58:01 +0200
+
 geda-gaf (1:1.6.1-4) unstable; urgency=low
 
   * Added fix_string_exceptions.diff patch to fix string exceptions in
diff --git a/debian/patches/disable_gnetlist-arg.diff b/debian/patches/disable_gnetlist-arg.diff
new file mode 100644
index 0000000..452aad9
--- /dev/null
+++ b/debian/patches/disable_gnetlist-arg.diff
@@ -0,0 +1,44 @@
+Description: gsch2pcb: Don't allow `gnetlist-arg' in project file.
+Origin: http://git.gpleda.org/?p=gaf.git;a=commitdiff_plain;h=16b3d32fcf8458389a491aed9437be835131b4b9
+Author: Peter TB Brett <peter@peter-b.co.uk>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/geda-gaf/+bug/700194
+
+--- a/utils/src/gsch2pcb.c
++++ b/utils/src/gsch2pcb.c
+@@ -1253,9 +1253,6 @@
+ 	else if (!strcmp(config, "gnetlist"))
+ 		extra_gnetlist_list =
+ 				g_list_append(extra_gnetlist_list, g_strdup(arg));
+-	else if (!strcmp(config, "gnetlist-arg"))
+-		extra_gnetlist_arg_list =
+-				g_list_append(extra_gnetlist_arg_list, g_strdup(arg));
+ 	else if (!strcmp(config, "empty-footprint"))
+ 		empty_footprint_name = g_strdup(arg);
+ 	else
+@@ -1370,10 +1367,10 @@
+ "   --gnetlist backend    A convenience run of extra gnetlist -g commands.\n"
+ "                         Example:  gnetlist partslist3\n"
+ "                         Creates:  myproject.partslist3\n"
+-"   --gnetlist-arg arg    Allows additional arguments to be passed to gnetlist.\n"
+ " --empty-footprint name  See the project.sample file.\n"
+ "\n"
+ "options (not recognized in a project file):\n"
++"   --gnetlist-arg arg    Allows additional arguments to be passed to gnetlist.\n"
+ "       --fix-elements    If a schematic component footprint is not equal\n"
+ "                         to its PCB element Description, update the\n"
+ "                         Description instead of replacing the element.\n"
+@@ -1432,6 +1429,14 @@
+ 				fix_elements = TRUE;
+ 				continue;
+ 				}
++      else if (!strcmp(opt, "gnetlist-arg"))
++        {
++        extra_gnetlist_arg_list =
++                g_list_append(extra_gnetlist_arg_list,
++                                g_strdup(arg));
++        i++;
++        continue;
++        }
+ 			else if (!strcmp(opt, "help") || !strcmp(opt, "h"))
+ 				usage();
+ 			else if (   i < argc
diff --git a/debian/patches/series b/debian/patches/series
index 561c79a..0e1a01a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ desktop.diff
 manpage_typos.diff
 sch2eaglepos_bashism.diff
 fix_string_exceptions.diff
+disable_gnetlist-arg.diff

--- End Message ---

--- Begin Message ---

• To: أحمد المحمودي <aelmahmoudy@sabily.org>, 611005-done@bugs.debian.org
• Subject: Re: Bug#611005: unblock: geda-gaf/1.6.1-5
• From: Julien Cristau <jcristau@debian.org>
• Date: Mon, 24 Jan 2011 22:46:52 +0100
• Message-id: <20110124214652.GQ30701@radis.liafa.jussieu.fr>
• In-reply-to: <[🔎] 20110124194701.8753.98150.reportbug@localhost6.localdomain6>
• References: <[🔎] 20110124194701.8753.98150.reportbug@localhost6.localdomain6>

On Mon, Jan 24, 2011 at 21:47:01 +0200, أحمد المحمودي wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> 
> Please unblock package geda-gaf
> 
Done, thanks.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

--- End Message ---