I recently uploaded an NMU for vftool to fix CVE-2011-0433 in sid (bug #614669). At the time I notified the maintainer that I would perform uploads for stable and oldstable and I have not had any response, therefore the stable patch is attached. Stable is easy: the same version is present, so the patch is just the same as for unstable. In oldstable, you have a choice of whether to include the changes in -4 or not. They fix a FTBFS (which I could not reproduce in a lenny chroot) but are not strictly necessary to fix the CVE. I will prepare uploads according to your preference. Thanks. $ debdiff vftool_2.0alpha-4.dsc vftool_2.0alpha-4.1.dsc |diffstat debian/patch-2 | 21 +++++++++++++++++++++ vftool-2.0alpha/debian/changelog | 9 +++++++++ vftool-2.0alpha/debian/rules | 2 ++ 3 files changed, 32 insertions(+) diff -u vftool-2.0alpha/debian/changelog vftool-2.0alpha/debian/changelog --- vftool-2.0alpha/debian/changelog +++ vftool-2.0alpha/debian/changelog @@ -1,3 +1,12 @@ +vftool (2.0alpha-4.1) unstable; urgency=medium + + * Non-maintainer upload. + * debian/patch-3: + - fix CVE-2011-0433, a buffer overflow in linetoken() in parseAFM.c + Closes: #614669 + + -- Jonathan Wiltshire <jmw@debian.org> Wed, 29 Jun 2011 23:06:32 +0100 + vftool (2.0alpha-4) unstable; urgency=low * Fixed FTBFS bug with a patch by Ruben Molina <rmolina AT udea.edu.co> diff -u vftool-2.0alpha/debian/rules vftool-2.0alpha/debian/rules --- vftool-2.0alpha/debian/rules +++ vftool-2.0alpha/debian/rules @@ -28,6 +28,8 @@ patch -p1 < debian/patch-0 patch -NRp1 < debian/patch-1 || true patch -p1 < debian/patch-1 + patch -NRp1 < debian/patch-2 || true + patch -p1 < debian/patch-2 $(MAKE) mka2bkjvf $(MAKE) mka2bkvf $(MAKE) mkbkv2hjvf only in patch2: unchanged: --- vftool-2.0alpha.orig/debian/patch-2 +++ vftool-2.0alpha/debian/patch-2 @@ -0,0 +1,21 @@ +From: Vincent Untz <vuntz@gnome.org> +Date: Thu, 17 Feb 2011 15:23:39 +0100 +Subject: [PATCH] backends: Fix another security issue in the dvi-backend +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=640923 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614669 + +This is similar to one of the fixes from d4139205. + +https://bugzilla.gnome.org/show_bug.cgi?id=640923 + +--- vftool-2.0alpha.orig/parseAFM.c ++++ vftool-2.0alpha/parseAFM.c +@@ -178,7 +178,7 @@ + while ((ch = fgetc(stream)) == ' ' || ch == '\t' ); + + idx = 0; +- while (ch != EOF && ch != lineterm) ++ while (ch != EOF && ch != lineterm && idx < MAX_NAME) + { + ident[idx++] = ch; + ch = fgetc(stream); -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Attachment:
signature.asc
Description: Digital signature