Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4
From: Daniel Stender <debian@danielstender.com>
Date: Wed, 13 May 2015 10:12:41 +0200
Message-id: <[🔎] 20150513081241.26010.66246.reportbug@varuna.home>
Reply-to: Daniel Stender <debian@danielstender.com>, 785184@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I propose an update of pdf2djvu in jessie, 0.7.17-4+deb8u1.

The patch is a security fix of #784889 in stable.

Please see the attached debdiff for details.

The issue is marked as minor/no-dsa, so I would upload it
to stable as proposed update.

Thanks,
Daniel Stender

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru pdf2djvu-0.7.17/debian/changelog pdf2djvu-0.7.17/debian/changelog
--- pdf2djvu-0.7.17/debian/changelog	2014-07-05 14:14:36.000000000 +0200
+++ pdf2djvu-0.7.17/debian/changelog	2015-05-13 09:54:46.000000000 +0200
@@ -1,3 +1,11 @@
+pdf2djvu (0.7.17-4+deb8u1) stable; urgency=medium
+
+  * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix
+    of security issue TEMP-0784889-495CCA, see #784889 (closed
+    in Sid by 0.7.21-1).
+
+ -- Daniel Stender <debian@danielstender.com>  Wed, 13 May 2015 09:54:31 +0200
+
 pdf2djvu (0.7.17-4) unstable; urgency=low
 
   * Bumped standards to 3.9.5 (no changes needed).
diff -Nru pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff
--- pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff	1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.17/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff	2015-05-12 20:19:53.000000000 +0200
@@ -0,0 +1,18 @@
+Description: fix for security issue TEMP-0784889-495CCA
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/pdf2djvu/commits/62c3c48098d6232f09ecabcf8d0176d42b714041
+Bug: https://bugs.debian.org/784889
+
+--- a/pdf2djvu.cc
++++ b/pdf2djvu.cc
+@@ -1537,7 +1537,8 @@
+       }
+       else if (nonwhite_background_color)
+       {
+-        TemporaryFile c44_file;
++        TemporaryDirectory c44_dir;
++        TemporaryFile c44_file(c44_dir, "bg.djvu");
+         c44_file.close();
+         { /* Create solid-color PPM image with subsample ratio 12: */
+           TemporaryFile ppm_file;
diff -Nru pdf2djvu-0.7.17/debian/patches/series pdf2djvu-0.7.17/debian/patches/series
--- pdf2djvu-0.7.17/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.17/debian/patches/series	2015-05-12 20:11:42.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-executing-c44.diff

Reply to:

Follow-Ups:
- Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#784998: jessie-pu: package ulogd2/2.0.4-2+deb8u1
Next by Date: Processed: block 731121 with 760003
Previous by thread: Processed: Re: Bug#785154: Bug#785155: wheezy-pu: package phpbb3/3.0.10-4+deb7u3
Next by thread: Bug#785184: jessie-pu: package pdf2djvu/0.7.17-4
Index(es):
- Date
- Thread