Bug#696915: unblock: inkscape/0.48.3.1-1.2
Hi Julien,
I have built a new version 0.48.3.1-1.3 and uploaded it into unstable.
Version 0.48.3.1-1.3 also includes a fix for a second security issue
[1] in addition to CVE-2012-5656. A detailed explanation of the fix
can be found in the bug report and the upstream bug report [2].
I also fixed the source package as I built it with "git-buildpackage
--git-pbuilder" now.
Do you want me to file a new unblock request or is this one
sufficient?
I am attaching all patches showing the differences between 0.48.3.1-1
and 0.48.3.1-1.3.
Cheers,
Adrian
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654341
> [2] https://bugs.launchpad.net/inkscape/+bug/911146
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaubitz@debian.org
`. `' Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>From fd837b10f2fb8c48a308c4a3ddba8dd79609418d Mon Sep 17 00:00:00 2001
From: Pino Toscano <pino@debian.org>
Date: Sat, 29 Dec 2012 18:34:12 +0100
Subject: [PATCH 1/6] - switch the libpng12-dev build dependency to libpng-dev
- add the libpoppler-private-dev build dependency
---
debian/control | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index f54b02e..50990b7 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,8 @@ Build-Depends: autoconf,
liblcms1-dev,
libmagick++-dev,
libpango1.0-dev,
- libpng12-dev,
+ libpng-dev,
+ libpoppler-private-dev,
libpoppler-glib-dev,
libpopt-dev,
libsigc++-2.0-dev (>= 2.0.16-2),
--
1.7.10.4
>From 0cc17c45fbfd0ca198d61f86a49e082f2499eaa2 Mon Sep 17 00:00:00 2001
From: Pino Toscano <pino@debian.org>
Date: Sat, 29 Dec 2012 19:00:14 +0100
Subject: [PATCH 2/6] Update Debian changelog for 0.48.3.1-1.1.
---
debian/changelog | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4f92cf4..d1fdf41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inkscape (0.48.3.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378)
+ * Add the libpoppler-private-dev build dependency (closes: #660987)
+
+ -- Pino Toscano <pino@debian.org> Fri, 15 Jun 2012 16:40:22 +0200
+
inkscape (0.48.3.1-1) unstable; urgency=low
* [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream
--
1.7.10.4
>From f74d957bdac1a39e62d2e12bc8dfd1e191afedaa Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:04:14 +0100
Subject: [PATCH 3/6] Add Debian patch to fix vulnerability CVE-2012-5656.
---
debian/patches/03-CVE-2012-5656.diff | 75 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 76 insertions(+)
create mode 100644 debian/patches/03-CVE-2012-5656.diff
diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff
new file mode 100644
index 0000000..c787ed4
--- /dev/null
+++ b/debian/patches/03-CVE-2012-5656.diff
@@ -0,0 +1,75 @@
+From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Date: Sun, 23 Dec 2012 18:22:16 +0100
+Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix
+ CVE-2012-5656.
+
+---
+ src/preferences-skeleton.h | 4 ++++
+ src/ui/dialog/ocaldialogs.cpp | 10 ++++++++--
+ src/xml/repr-io.cpp | 8 +++++++-
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h
+index 32f4b7c..e4dd2c8 100644
+--- a/src/preferences-skeleton.h
++++ b/src/preferences-skeleton.h
+@@ -315,6 +315,10 @@ static char const preferences_skeleton[] =
+ " clips=\"16711935\"" // 00ff00ff
+ " masks=\"65535\"/>\n" // 0x0000ffff
+ " <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n"
++" <group id=\"externalresources\">\n"
++" <group id=\"xml\" "
++" allow_net_access=\"0\"/>\n"
++" </group>\n"
+ " <group id=\"forkgradientvectors\" value=\"1\"/>\n"
+ " <group id=\"iconrender\" named_nodelay=\"0\"/>\n"
+ " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n"
+diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
+index 2ae7d69..63c56f7 100644
+--- a/src/ui/dialog/ocaldialogs.cpp
++++ b/src/ui/dialog/ocaldialogs.cpp
+@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback()
+ xmlDoc *doc = NULL;
+ xmlNode *root_element = NULL;
+
++ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
++
+ doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback,
+- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL,
+- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options);
+ if (doc == NULL) {
+ sp_ui_error_dialog(_("Server supplied malformed Clip Art feed"));
+ g_warning("Failed to parse %s\n", uri.c_str());
+diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp
+index fa5e9b6..088b505 100644
+--- a/src/xml/repr-io.cpp
++++ b/src/xml/repr-io.cpp
+@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns)
+ XmlSource src;
+
+ if ( (src.setFile(filename) == 0) ) {
++ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ Inkscape::Preferences *prefs = Inkscape::Preferences::get();
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
+ doc = xmlReadIO( XmlSource::readCb,
+ XmlSource::closeCb,
+ &src,
+ localFilename,
+ src.getEncoding(),
+- XML_PARSE_NOENT );
++ parse_options);
+ }
+ }
+
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 08294b7..bd4ef57 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01-fix-datamatrix-ui.dpatch
02-drop-pdf-ps.diff
+03-CVE-2012-5656.diff
--
1.7.10.4
>From 9371b35a327ec7b7d5b2201e493ac1730094643d Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:04:57 +0100
Subject: [PATCH 4/6] Update Debian changelog for 0.48.3.1-1.2.
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d1fdf41..8505588 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485).
+
+ -- John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Mon, 24 Dec 2012 00:58:56 +0100
+
inkscape (0.48.3.1-1.1) unstable; urgency=low
* Non-maintainer upload.
--
1.7.10.4
>From 8cf685832e55916a8b2a3ddc3c984ecb12c5d238 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:14:56 +0100
Subject: [PATCH 5/6] Add patch to fix upstream vulnerability LP#911146.
---
debian/patches/04-fix-LP911146.diff | 32 ++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 33 insertions(+)
create mode 100644 debian/patches/04-fix-LP911146.diff
diff --git a/debian/patches/04-fix-LP911146.diff b/debian/patches/04-fix-LP911146.diff
new file mode 100644
index 0000000..8ef1286
--- /dev/null
+++ b/debian/patches/04-fix-LP911146.diff
@@ -0,0 +1,32 @@
+From: Michael Karcher <debian@mkarcher.dialup.fu-berlin.de>
+Date: Sat, 29 Dec 2012 17:33:33 +0100
+Subject: Fix LP: #911146 relative filename vulnerability
+
+Ensures that filenames passed to extensions are made absolute before
+changing the current working directory.
+---
+ src/extension/implementation/script.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/extension/implementation/script.cpp b/src/extension/implementation/script.cpp
+index b78fbda..02c3aeb 100644
+--- a/src/extension/implementation/script.cpp
++++ b/src/extension/implementation/script.cpp
+@@ -954,7 +954,14 @@ int Script::execute (const std::list<std::string> &in_command,
+ // assemble the rest of argv
+ std::copy(in_params.begin(), in_params.end(), std::back_inserter(argv));
+ if (!filein.empty()) {
+- argv.push_back(filein);
++ if(Glib::path_is_absolute(filein))
++ argv.push_back(filein);
++ else {
++ std::vector<std::string> buildargs;
++ buildargs.push_back(Glib::get_current_dir());
++ buildargs.push_back(filein);
++ argv.push_back(Glib::build_filename(buildargs));
++ }
+ }
+
+ int stdout_pipe, stderr_pipe;
+
+-- 1.7.10.4
diff --git a/debian/patches/series b/debian/patches/series
index bd4ef57..d454438 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
01-fix-datamatrix-ui.dpatch
02-drop-pdf-ps.diff
03-CVE-2012-5656.diff
+04-fix-LP911146.diff
--
1.7.10.4
>From 70d905765fd7e37c99b2e30cb4d9b95063578b74 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:18:17 +0100
Subject: [PATCH 6/6] Update Debian changelog for 0.48.3.1-1.3.
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 8505588..0b42ef4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.3) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add Debian patch to fix relative filename vulnerability (Closes: #654341).
+
+ -- John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Sat, 29 Dec 2012 19:15:46 +0100
+
inkscape (0.48.3.1-1.2) unstable; urgency=low
* Non-maintainer upload.
--
1.7.10.4
Reply to: