[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#787947: wheezy-pu: package didjvu/0.2.3-2

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team,

I'm propose an update of didjvu in wheezy, 0.2.3-2+deb7u1.

The patch is a security fix of #784888 [1] in oldstable, applied
already upstream in sid (closed by 0.4-1), and for 0.2.8-1+deb8u1.

Please see the attached debdiff for details.

I've build the package with Sbuild against wheezy, the buildlog is here [2].

The security team marked this as minor/non-dsa, thus I would upload
this at proposed update.

Thanks,
Daniel Stender

[1] https://bugs.debian.org/784888

[2] http://www.danielstender.com/buildlogs/didjvu_0.2.3-2+deb7u1_amd64-20150606-1848.build

[3] https://security-tracker.debian.org/tracker/source-package/didjvu

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru didjvu-0.2.3/debian/changelog didjvu-0.2.3/debian/changelog
--- didjvu-0.2.3/debian/changelog	2012-02-25 19:01:15.000000000 +0100
+++ didjvu-0.2.3/debian/changelog	2015-06-06 18:41:38.000000000 +0200
@@ -1,3 +1,10 @@
+didjvu (0.2.3-2+deb7u1) oldstable; urgency=medium
+
+  * add fix-insecure-use-of-tmp-when-calling-c44.diff on security
+    bug #784888 (closed by 0.4-1 in sid).
+
+ -- Daniel Stender <debian@danielstender.com>  Sat, 06 Jun 2015 18:41:01 +0200
+
 didjvu (0.2.3-2) unstable; urgency=low
 
   * Renamed and moved dep on xmp-toolkit from Depends to Suggests
diff -Nru didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff
--- didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff	1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff	2015-06-06 18:05:22.000000000 +0200
@@ -0,0 +1,83 @@
+Description: fix of security related bug
+ Prevents C44 to delete didjvu output file in /tmp or $TMPDIR
+ and create a new one during IW44 layer processing,
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1
+Bug: https://bugs.debian.org/784888
+
+--- a/lib/djvu_extra.py
++++ b/lib/djvu_extra.py
+@@ -58,23 +58,23 @@
+ 
+ def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB_NORMAL):
+     ppm_file = temporary.file(suffix='.ppm')
+-    temporaries = [ppm_file]
+     image.save(ppm_file.name)
+-    djvu_file = temporary.file(suffix='.djvu', mode='r+b')
+-    args = [
+-        'c44',
+-        '-dpi', str(dpi),
+-        '-slice', ','.join(map(str, slices)),
+-        '-gamma', '%.1f' % gamma,
+-        '-crcb%s' % _crcb_map[crcb],
+-    ]
+-    if mask_image is not None:
+-        pbm_file = temporary.file(suffix='.pbm')
+-        mask_image.save(pbm_file.name)
+-        args += ['-mask', pbm_file.name]
+-        temporaries += [pbm_file]
+-    args += [ppm_file.name, djvu_file.name]
+-    return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries)
++    with temporary.directory() as djvu_dir:
++        args = [
++            'c44',
++            '-dpi', str(dpi),
++            '-slice', ','.join(map(str, slices)),
++            '-gamma', '%.1f' % gamma,
++            '-crcb%s' % _crcb_map[crcb],
++        ]
++        if mask_image is not None:
++            pbm_file = temporary.file(suffix='.pbm')
++            mask_image.save(pbm_file.name)
++            args += ['-mask', pbm_file.name]
++        djvu_path = os.path.join(djvu_dir, 'result.djvu')
++        args += [ppm_file.name, djvu_path]
++        ipc.Subprocess(args).wait()
++        return temporary.hardlink(djvu_path, suffix='.djvu')
+ 
+ def djvu_to_iw44(djvu_file):
+     # TODO: Use Multichunk.
+--- a/lib/temporary.py
++++ b/lib/temporary.py
+@@ -15,6 +15,7 @@
+ 
+ import contextlib
+ import functools
++import os
+ import shutil
+ import tempfile
+ 
+@@ -22,6 +23,14 @@
+ name = functools.partial(tempfile.mktemp, prefix='didjvu.')
+ wrapper = tempfile._TemporaryFileWrapper
+ 
++def hardlink(path, suffix='', prefix='didjvu.', dir=None):
++    new_path = name(suffix=suffix, prefix=prefix, dir=dir)
++    os.link(path, new_path)
++    return wrapper(
++        open(new_path, 'r+b'),
++        new_path
++    )
++
+ @contextlib.contextmanager
+ def directory(*args, **kwargs):
+     kwargs = dict(kwargs)
+@@ -32,6 +41,6 @@
+     finally:
+         shutil.rmtree(tmpdir)
+ 
+-__all__ = ['file', 'directory', 'name', 'wrapper']
++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper']
+ 
+ # vim:ts=4 sw=4 et
diff -Nru didjvu-0.2.3/debian/patches/series didjvu-0.2.3/debian/patches/series
--- didjvu-0.2.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ didjvu-0.2.3/debian/patches/series	2015-06-06 17:36:38.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-calling-c44.diff
Reply to: