Bug#778704: unblock: libgtk2-perl/1.2492-4

[intrigeri <intrigeri@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libgtk2-perl

The only change it contains is a security fix cherry-picked from upstream,
and the corresponding test case.

I'm in the process of convincing them to ask a CVE, and of preparing
a security upload for Wheezy.

unblock libgtk2-perl/1.2492-4

Thanks!

diff -Nru libgtk2-perl-1.2492/debian/changelog libgtk2-perl-1.2492/debian/changelog
--- libgtk2-perl-1.2492/debian/changelog	2014-08-29 23:46:41.000000000 +0200
+++ libgtk2-perl-1.2492/debian/changelog	2015-02-18 19:53:25.000000000 +0100
@@ -1,3 +1,10 @@
+libgtk2-perl (2:1.2492-4) unstable; urgency=high
+
+  * Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch:
+    new patch, cherry-picked from upstream, that fixes a security issue.
+
+ -- intrigeri <intrigeri@debian.org>  Wed, 18 Feb 2015 19:45:09 +0100
+
 libgtk2-perl (2:1.2492-3) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch
--- libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgtk2-perl-1.2492/debian/patches/Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch	2015-02-18 19:53:25.000000000 +0100
@@ -0,0 +1,47 @@
+From: Torsten Schönfeld <kaffeetisch@gmx.de>
+Date: Sat, 17 Jan 2015 14:59:24 +0100
+Origin: https://git.gnome.org/browse/perl-Gtk2/commit/?id=4856da628ce37099b27b66a88141dc6daad693b0
+Applied-Upstream: 1.2495
+Subject: Fix incorrect memory management in Gtk2::Gdk::Display::list_devices
+
+We do not own the returned list.
+---
+ t/GdkDisplay.t   | 4 +++-
+ xs/GdkDisplay.xs | 2 --
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/t/GdkDisplay.t b/t/GdkDisplay.t
+index d290446..f4aef59 100644
+--- a/t/GdkDisplay.t
++++ b/t/GdkDisplay.t
+@@ -1,7 +1,7 @@
+ #!/usr/bin/perl -w
+ use strict;
+ use Gtk2::TestHelper
+-  tests => 26,
++  tests => 27,
+   at_least_version => [2, 2, 0, "GdkDisplay is new in 2.2"];
+ 
+ # $Id$
+@@ -32,6 +32,8 @@ ok(!$display -> pointer_is_grabbed());
+ # $display -> beep();
+ $display -> sync();
+ 
++# Do this twice to ensure we did not damage the list.
++isa_ok(($display -> list_devices())[0], "Gtk2::Gdk::Device");
+ isa_ok(($display -> list_devices())[0], "Gtk2::Gdk::Device");
+ 
+ $display -> put_event(Gtk2::Gdk::Event -> new("button-press"));
+diff --git a/xs/GdkDisplay.xs b/xs/GdkDisplay.xs
+index f558f1d..a019eee 100644
+--- a/xs/GdkDisplay.xs
++++ b/xs/GdkDisplay.xs
+@@ -69,8 +69,6 @@ gdk_display_list_devices (display)
+ 	devices = gdk_display_list_devices (display);
+ 	for (i = devices ; i != NULL ; i = i->next)
+ 		XPUSHs (sv_2mortal (newSVGdkDevice (i->data)));
+-	g_list_free (devices);
+-	
+ 
+ GdkEvent* gdk_display_get_event (GdkDisplay *display) 
+ 
diff -Nru libgtk2-perl-1.2492/debian/patches/series libgtk2-perl-1.2492/debian/patches/series
--- libgtk2-perl-1.2492/debian/patches/series	2014-08-29 23:46:41.000000000 +0200
+++ libgtk2-perl-1.2492/debian/patches/series	2015-02-18 19:53:25.000000000 +0100
@@ -1,3 +1,4 @@
 Make_t_GtkCellRenderer.t_more_robust.patch
 30-disable_libgtk_version_check.patch
 fix-typo.patch
+Fix-incorrect-memory-management-in-Gtk2-Gdk-Display-list_devices.patch