Bug#775603: wheezy-pu: package lcms/1.18.dfsg2-1.2+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#775603: wheezy-pu: package lcms/1.18.dfsg2-1.2+deb7u1
From: Tobias Frost <tobi@debian.org>
Date: Sat, 17 Jan 2015 22:01:19 +0100
Message-id: <[🔎] 20150117210119.6867.36097.reportbug@edoras.loewenhoehle.ip>
Reply-to: Tobias Frost <tobi@debian.org>, 775603@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Moritz Muehlenhoff asked me to provide a update for lcms to fix a few CVE's:


lcms (1.19.dfsg2-1.2+deb7u1) stable-proposed-updates; urgency=medium

  * Non-maintainer upload.
  * Remove non-free file python/testbed/AdobeRGB1998.icc from source tarball
    (Closes: #753759). Also remove testbed/sRGBSpac.icm
  * Cherry-Pick fix from Peter Michael Green's NMU (1.19.dfsg1-1.4)
      - Link icctrans with -lm to Fix link failure on amd64.
  * Apply fix from OpenSuse for CVE-2013-4276 (Closes: #718682)
  * Repack orig-source to remove non-dfsg free color profiles. This is
    necessary as the resulting lintian error
    license-problem-md5sum-non-free-file would lead to an autoreject
    (Closes: #736806).
  * Fix CVE-2013-4160 by backporting the fix from lcms-2 (Closes: #728208)

  -- Tobias Frost <tobi@debian.org>  Sat, 17 Jan 2015 21:51:31 +0100

debdiff attached.

Let me know when I should upload the pacakge to stable-proposed-updates.

-- 
tobi


-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru lcms-1.19.dfsg/debian/changelog lcms-1.19.dfsg2/debian/changelog
--- lcms-1.19.dfsg/debian/changelog	2015-01-17 21:55:17.000000000 +0100
+++ lcms-1.19.dfsg2/debian/changelog	2015-01-17 21:55:17.000000000 +0100
@@ -1,3 +1,19 @@
+lcms (1.19.dfsg2-1.2+deb7u1) stable-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * Remove non-free file python/testbed/AdobeRGB1998.icc from source tarball
+    (Closes: #753759). Also remove testbed/sRGBSpac.icm
+  * Cherry-Pick fix from Peter Michael Green's NMU (1.19.dfsg1-1.4)
+      - Link icctrans with -lm to Fix link failure on amd64.
+  * Apply fix from OpenSuse for CVE-2013-4276 (Closes: #718682)
+  * Repack orig-source to remove non-dfsg free color profiles. This is
+    necessary as the resulting lintian error
+    license-problem-md5sum-non-free-file would lead to an autoreject
+    (Closes: #736806).
+  * Fix CVE-2013-4160 by backporting the fix from lcms-2 (Closes: #728208)
+
+ -- Tobias Frost <tobi@debian.org>  Sat, 17 Jan 2015 21:51:31 +0100
+
 lcms (1.19.dfsg-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
Binärdateien /tmp/lskYV26pVc/lcms-1.19.dfsg/Delphi/Samples/sRGB Color Space Profile.icm und /tmp/w1Aof1U6N3/lcms-1.19.dfsg2/Delphi/Samples/sRGB Color Space Profile.icm sind verschieden.
Binärdateien /tmp/lskYV26pVc/lcms-1.19.dfsg/python/testbed/AdobeRGB1998.icc und /tmp/w1Aof1U6N3/lcms-1.19.dfsg2/python/testbed/AdobeRGB1998.icc sind verschieden.
Binärdateien /tmp/lskYV26pVc/lcms-1.19.dfsg/python/testbed/sRGB Color Space Profile.icm und /tmp/w1Aof1U6N3/lcms-1.19.dfsg2/python/testbed/sRGB Color Space Profile.icm sind verschieden.
diff -Nru lcms-1.19.dfsg/samples/icctrans.c lcms-1.19.dfsg2/samples/icctrans.c
--- lcms-1.19.dfsg/samples/icctrans.c	2009-10-30 16:57:45.000000000 +0100
+++ lcms-1.19.dfsg2/samples/icctrans.c	2015-01-17 21:55:17.000000000 +0100
@@ -86,6 +86,8 @@
 static LPcmsNAMEDCOLORLIST InputColorant = NULL;
 static LPcmsNAMEDCOLORLIST OutputColorant = NULL;
 
+unsigned int Buffer_size = 4096;
+
 
 // isatty replacement
 
@@ -500,7 +502,7 @@
 
     Prefix[0] = 0;
     if (!lTerse)
-        sprintf(Prefix, "%s=", C);
+        snprintf(Prefix, 20, "%s=", C);
 
     if (InHexa)
     {
@@ -648,7 +650,9 @@
 static
 void GetLine(char* Buffer)
 {    
-    scanf("%s", Buffer);
+    char User_buffer[Buffer_size];
+    fgets(User_buffer, (Buffer_size - 1), stdin);
+    sscanf(User_buffer,"%s", Buffer);
     
     if (toupper(Buffer[0]) == 'Q') { // Quit?
 
@@ -668,7 +672,7 @@
 static
 double GetAnswer(const char* Prompt, double Range)
 {
-    char Buffer[4096];
+    char Buffer[Buffer_size];
     double val = 0.0;
 	       
     if (Range == 0.0) {              // Range 0 means double value
@@ -738,7 +742,7 @@
 static
 WORD GetIndex(void)
 {
-    char Buffer[4096], Name[40], Prefix[40], Suffix[40];
+    char Buffer[Buffer_size], Name[40], Prefix[40], Suffix[40];
     int index, max;
 
     max = cmsNamedColorCount(hTrans)-1;
diff -Nru lcms-1.19.dfsg/samples/Makefile.am lcms-1.19.dfsg2/samples/Makefile.am
--- lcms-1.19.dfsg/samples/Makefile.am	2009-10-30 16:57:45.000000000 +0100
+++ lcms-1.19.dfsg2/samples/Makefile.am	2015-01-17 21:55:17.000000000 +0100
@@ -11,7 +11,7 @@
 bin_PROGRAMS = icctrans wtpt icc2ps icclink
 
 icctrans_LDADD = $(top_builddir)/src/liblcms.la 
-icctrans_LDFLAGS = @LDFLAGS@
+icctrans_LDFLAGS = @LDFLAGS@ -lm
 icctrans_SOURCES = icctrans.c xgetopt.c vprf.c
 icctrans_MANS = icctrans.1
 
diff -Nru lcms-1.19.dfsg/src/cmsio1.c lcms-1.19.dfsg2/src/cmsio1.c
--- lcms-1.19.dfsg/src/cmsio1.c	2009-11-13 10:02:11.000000000 +0100
+++ lcms-1.19.dfsg2/src/cmsio1.c	2015-01-17 21:55:17.000000000 +0100
@@ -2007,9 +2007,9 @@
                           return 0;
                 }
 
-                strncpy(v ->NamedColorList->Prefix, (const char*) nc2.prefix, 32);
-                strncpy(v ->NamedColorList->Suffix, (const char*) nc2.suffix, 32);
-                v ->NamedColorList->Prefix[32] = v->NamedColorList->Suffix[32] = 0;
+                strncpy(v ->NamedColorList->Prefix, (const char*) nc2.prefix, 31);
+                strncpy(v ->NamedColorList->Suffix, (const char*) nc2.suffix, 31);
+                v ->NamedColorList->Prefix[31] = v->NamedColorList->Suffix[31] = 0;
                 
                 v ->NamedColorList ->ColorantCount = nc2.nDeviceCoords;
                 
Binärdateien /tmp/lskYV26pVc/lcms-1.19.dfsg/testbed/sRGB Color Space Profile.icm und /tmp/w1Aof1U6N3/lcms-1.19.dfsg2/testbed/sRGB Color Space Profile.icm sind verschieden.
Binärdateien /tmp/lskYV26pVc/lcms-1.19.dfsg/testbed/sRGBSpac.icm und /tmp/w1Aof1U6N3/lcms-1.19.dfsg2/testbed/sRGBSpac.icm sind verschieden.
diff -Nru lcms-1.19.dfsg/tifficc/tiffdiff.c lcms-1.19.dfsg2/tifficc/tiffdiff.c
--- lcms-1.19.dfsg/tifficc/tiffdiff.c	2009-10-30 16:57:46.000000000 +0100
+++ lcms-1.19.dfsg2/tifficc/tiffdiff.c	2015-01-17 21:55:17.000000000 +0100
@@ -633,7 +633,7 @@
     cmsIT8SetSheetType(hIT8, "TIFFDIFF");
     
    
-    sprintf(Buffer, "Differences between %s and %s", TiffName1, TiffName2);
+    snprintf(Buffer, 256, "Differences between %s and %s", TiffName1, TiffName2);
   
     cmsIT8SetComment(hIT8, Buffer);

Reply to:

Follow-Ups:
- Bug#775603: wheezy-pu: package lcms/1.18.dfsg2-1.2+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#775603: wheezy-pu: package lcms/1.18.dfsg2-1.2+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#775603: wheezy-pu: package lcms/1.18.dfsg2-1.2+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#773319: pre-approval: unblock: sudo/1.8.10p3-1.1; possibly sudo/1.8.11p2-1.1?
Next by Date: NEW changes in stable-new
Previous by thread: Bug#775586: marked as done (unblock: kdepim-runtime/4:4.14.2-3)
Next by thread: Bug#775603: wheezy-pu: package lcms/1.18.dfsg2-1.2+deb7u1
Index(es):
- Date
- Thread