Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
I propose an update of pdf2djvu in jessie, 0.7.17-4+deb8u1.
The patch is a security fix of #784889 in stable.
Please see the attached debdiff for details.
The issue is marked as minor/no-dsa, so I would upload it
to stable as proposed update.
Thanks,
Daniel Stender
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pdf2djvu-0.7.17/debian/changelog pdf2djvu-0.7.17/debian/changelog
--- pdf2djvu-0.7.17/debian/changelog 2014-07-05 14:14:36.000000000 +0200
+++ pdf2djvu-0.7.17/debian/changelog 2015-05-13 09:54:46.000000000 +0200
@@ -1,3 +1,11 @@
+pdf2djvu (0.7.17-4+deb8u1) stable; urgency=medium
+
+ * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix
+ of security issue TEMP-0784889-495CCA, see #784889 (closed
+ in Sid by 0.7.21-1).
+
+ -- Daniel Stender <debian@danielstender.com> Wed, 13 May 2015 09:54:31 +0200
+
pdf2djvu (0.7.17-4) unstable; urgency=low
* Bumped standards to 3.9.5 (no changes needed).
diff -Nru pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff
--- pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 2015-05-12 20:19:53.000000000 +0200
@@ -0,0 +1,18 @@
+Description: fix for security issue TEMP-0784889-495CCA
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/pdf2djvu/commits/62c3c48098d6232f09ecabcf8d0176d42b714041
+Bug: https://bugs.debian.org/784889
+
+--- a/pdf2djvu.cc
++++ b/pdf2djvu.cc
+@@ -1537,7 +1537,8 @@
+ }
+ else if (nonwhite_background_color)
+ {
+- TemporaryFile c44_file;
++ TemporaryDirectory c44_dir;
++ TemporaryFile c44_file(c44_dir, "bg.djvu");
+ c44_file.close();
+ { /* Create solid-color PPM image with subsample ratio 12: */
+ TemporaryFile ppm_file;
diff -Nru pdf2djvu-0.7.17/debian/patches/series pdf2djvu-0.7.17/debian/patches/series
--- pdf2djvu-0.7.17/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.17/debian/patches/series 2015-05-12 20:11:42.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-executing-c44.diff
Reply to: