Bug#785254: jessie-pu: package didjvu/0.2.8-1
On 14.05.2015 05:09, Salvatore Bonaccorso wrote:
> Hi Daniel
>
> (Disclaimer, not part of the release team, just giving a comment on
> the changelog entry):
>
> On Wed, May 13, 2015 at 10:53:22PM +0200, Daniel Stender wrote:
>> + * add fix-insecure-use-of-tmp-when-calling-c44.diff, fix
>> + of security issue TEMP-0784889-495CCA, see #784888 (closed
>> + in Sid by 0.4-1).
>
> Do not use these temporary items since they can change over time (e.g.
> when a CVE is assigned they do not exist anymore, or even if we change
> some metadata in the security-tracker. So I suggest to just write an
> expalanation what the issue is, or -- if a CVE is assigned -- include
> the CVE id.
>
> And you can "Close: #784888" as well, since there is a bug to track
> that issue.
>
> HTH,
>
> Regards,
> Salvatore
Yes, that's better. The CVE request is still pending [1], I'll add this
to the bug then as soon as it's available.
A fresh debdiff attached, I've extracted the temporary refs and added
info about what the patch is for.
DS
[1] http://www.openwall.com/lists/oss-security/2015/05/09/7
--
http://qa.debian.org/developer.php?login=debian%40danielstender.com
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
diff -Nru didjvu-0.2.8/debian/changelog didjvu-0.2.8/debian/changelog
--- didjvu-0.2.8/debian/changelog 2014-06-19 11:18:11.000000000 +0200
+++ didjvu-0.2.8/debian/changelog 2015-05-14 11:32:09.000000000 +0200
@@ -1,3 +1,10 @@
+didjvu (0.2.8-1+deb8u1) stable; urgency=medium
+
+ * add fix-insecure-use-of-tmp-when-calling-c44.diff on security
+ issue (Closes: #784888).
+
+ -- Daniel Stender <debian@danielstender.com> Thu, 14 May 2015 11:32:04 +0200
+
didjvu (0.2.8-1) unstable; urgency=low
* New upstream release (Closes: #743677).
diff -Nru didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff
--- didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 2015-05-14 10:46:16.000000000 +0200
@@ -0,0 +1,85 @@
+Description: fix of security related bug
+ Prevents C44 to delete didjvu output file in /tmp or $TMPDIR
+ and create a new one during IW44 layer processing,
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1
+Bug: https://bugs.debian.org/784888
+
+--- a/lib/djvu_extra.py
++++ b/lib/djvu_extra.py
+@@ -76,25 +76,25 @@
+
+ def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB.normal):
+ ppm_file = temporary.file(suffix='.ppm')
+- temporaries = [ppm_file]
+ image.save(ppm_file.name)
+- djvu_file = temporary.file(suffix='.djvu', mode='r+b')
+ if not isinstance(crcb, Crcb):
+ raise TypeError
+- args = [
+- 'c44',
+- '-dpi', str(dpi),
+- '-slice', ','.join(map(str, slices)),
+- '-gamma', '%.1f' % gamma,
+- '-crcb%s' % crcb,
+- ]
+- if mask_image is not None:
+- pbm_file = temporary.file(suffix='.pbm')
+- mask_image.save(pbm_file.name)
+- args += ['-mask', pbm_file.name]
+- temporaries += [pbm_file]
+- args += [ppm_file.name, djvu_file.name]
+- return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries)
++ with temporary.directory() as djvu_dir:
++ args = [
++ 'c44',
++ '-dpi', str(dpi),
++ '-slice', ','.join(map(str, slices)),
++ '-gamma', '%.1f' % gamma,
++ '-crcb%s' % crcb,
++ ]
++ if mask_image is not None:
++ pbm_file = temporary.file(suffix='.pbm')
++ mask_image.save(pbm_file.name)
++ args += ['-mask', pbm_file.name]
++ djvu_path = os.path.join(djvu_dir, 'result.djvu')
++ args += [ppm_file.name, djvu_path]
++ ipc.Subprocess(args).wait()
++ return temporary.hardlink(djvu_path, suffix='.djvu')
+
+ def djvu_to_iw44(djvu_file):
+ # TODO: Use Multichunk.
+--- a/lib/temporary.py
++++ b/lib/temporary.py
+@@ -15,6 +15,7 @@
+
+ import contextlib
+ import functools
++import os
+ import shutil
+ import tempfile
+
+@@ -22,6 +23,14 @@
+ name = functools.partial(tempfile.mktemp, prefix='didjvu.')
+ wrapper = tempfile._TemporaryFileWrapper
+
++def hardlink(path, suffix='', prefix='didjvu.', dir=None):
++ new_path = name(suffix=suffix, prefix=prefix, dir=dir)
++ os.link(path, new_path)
++ return wrapper(
++ open(new_path, 'r+b'),
++ new_path
++ )
++
+ @contextlib.contextmanager
+ def directory(*args, **kwargs):
+ kwargs = dict(kwargs)
+@@ -32,6 +41,6 @@
+ finally:
+ shutil.rmtree(tmpdir)
+
+-__all__ = ['file', 'directory', 'name', 'wrapper']
++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper']
+
+ # vim:ts=4 sw=4 et
diff -Nru didjvu-0.2.8/debian/patches/series didjvu-0.2.8/debian/patches/series
--- didjvu-0.2.8/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.8/debian/patches/series 2015-05-13 21:01:42.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-calling-c44.diff
Reply to: