[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#785254: jessie-pu: package didjvu/0.2.8-1

On 14.05.2015 05:09, Salvatore Bonaccorso wrote:
> Hi Daniel
> 
> (Disclaimer, not part of the release team, just giving a comment on
> the changelog entry):
> 
> On Wed, May 13, 2015 at 10:53:22PM +0200, Daniel Stender wrote:
>> +  * add fix-insecure-use-of-tmp-when-calling-c44.diff, fix
>> +    of security issue TEMP-0784889-495CCA, see #784888 (closed
>> +    in Sid by 0.4-1).
> 
> Do not use these temporary items since they can change over time (e.g.
> when a CVE is assigned they do not exist anymore, or even if we change
> some metadata in the security-tracker. So I suggest to just write an
> expalanation what the issue is, or -- if a CVE is assigned -- include
> the CVE id.
> 
> And you can "Close: #784888" as well, since there is a bug to track
> that issue.
> 
> HTH,
> 
> Regards,
> Salvatore

Yes, that's better. The CVE request is still pending [1], I'll add this
to the bug then as soon as it's available.

A fresh debdiff attached, I've extracted the temporary refs and added
info about what the patch is for.

DS

[1] http://www.openwall.com/lists/oss-security/2015/05/09/7

-- 
http://qa.debian.org/developer.php?login=debian%40danielstender.com
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8




diff -Nru didjvu-0.2.8/debian/changelog didjvu-0.2.8/debian/changelog
--- didjvu-0.2.8/debian/changelog	2014-06-19 11:18:11.000000000 +0200
+++ didjvu-0.2.8/debian/changelog	2015-05-14 11:32:09.000000000 +0200
@@ -1,3 +1,10 @@
+didjvu (0.2.8-1+deb8u1) stable; urgency=medium
+
+  * add fix-insecure-use-of-tmp-when-calling-c44.diff on security
+    issue (Closes: #784888).
+
+ -- Daniel Stender <debian@danielstender.com>  Thu, 14 May 2015 11:32:04 +0200
+
 didjvu (0.2.8-1) unstable; urgency=low
 
   * New upstream release (Closes: #743677).
diff -Nru didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff
--- didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff	1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff	2015-05-14 10:46:16.000000000 +0200
@@ -0,0 +1,85 @@
+Description: fix of security related bug
+ Prevents C44 to delete didjvu output file in /tmp or $TMPDIR
+ and create a new one during IW44 layer processing,
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1
+Bug: https://bugs.debian.org/784888
+
+--- a/lib/djvu_extra.py
++++ b/lib/djvu_extra.py
+@@ -76,25 +76,25 @@
+ 
+ def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB.normal):
+     ppm_file = temporary.file(suffix='.ppm')
+-    temporaries = [ppm_file]
+     image.save(ppm_file.name)
+-    djvu_file = temporary.file(suffix='.djvu', mode='r+b')
+     if not isinstance(crcb, Crcb):
+         raise TypeError
+-    args = [
+-        'c44',
+-        '-dpi', str(dpi),
+-        '-slice', ','.join(map(str, slices)),
+-        '-gamma', '%.1f' % gamma,
+-        '-crcb%s' % crcb,
+-    ]
+-    if mask_image is not None:
+-        pbm_file = temporary.file(suffix='.pbm')
+-        mask_image.save(pbm_file.name)
+-        args += ['-mask', pbm_file.name]
+-        temporaries += [pbm_file]
+-    args += [ppm_file.name, djvu_file.name]
+-    return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries)
++    with temporary.directory() as djvu_dir:
++        args = [
++            'c44',
++            '-dpi', str(dpi),
++            '-slice', ','.join(map(str, slices)),
++            '-gamma', '%.1f' % gamma,
++            '-crcb%s' % crcb,
++        ]
++        if mask_image is not None:
++            pbm_file = temporary.file(suffix='.pbm')
++            mask_image.save(pbm_file.name)
++            args += ['-mask', pbm_file.name]
++        djvu_path = os.path.join(djvu_dir, 'result.djvu')
++        args += [ppm_file.name, djvu_path]
++        ipc.Subprocess(args).wait()
++        return temporary.hardlink(djvu_path, suffix='.djvu')
+ 
+ def djvu_to_iw44(djvu_file):
+     # TODO: Use Multichunk.
+--- a/lib/temporary.py
++++ b/lib/temporary.py
+@@ -15,6 +15,7 @@
+ 
+ import contextlib
+ import functools
++import os
+ import shutil
+ import tempfile
+ 
+@@ -22,6 +23,14 @@
+ name = functools.partial(tempfile.mktemp, prefix='didjvu.')
+ wrapper = tempfile._TemporaryFileWrapper
+ 
++def hardlink(path, suffix='', prefix='didjvu.', dir=None):
++    new_path = name(suffix=suffix, prefix=prefix, dir=dir)
++    os.link(path, new_path)
++    return wrapper(
++        open(new_path, 'r+b'),
++        new_path
++    )
++
+ @contextlib.contextmanager
+ def directory(*args, **kwargs):
+     kwargs = dict(kwargs)
+@@ -32,6 +41,6 @@
+     finally:
+         shutil.rmtree(tmpdir)
+ 
+-__all__ = ['file', 'directory', 'name', 'wrapper']
++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper']
+ 
+ # vim:ts=4 sw=4 et
diff -Nru didjvu-0.2.8/debian/patches/series didjvu-0.2.8/debian/patches/series
--- didjvu-0.2.8/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.8/debian/patches/series	2015-05-13 21:01:42.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-calling-c44.diff
Reply to: