--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package pdf2djvu/0.7.12-2
- From: Daniel Stender <debian@danielstender.com>
- Date: Sat, 06 Jun 2015 16:02:22 +0200
- Message-id: <20150606140222.27013.82150.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hello Debian release,
I propose an update of pdf2djvu in Wheezy, 0.7.12-2+deb7u1.
The patch is a security fix of #784889, already applied in Sid
(closed by 0.7.21-1) and Jessie.
I've build with Sbuild against oldstable, please see the buildlog
here [2]. To prevent the execution of make distclean which fails
I've also just added an empty override for dh_auto_clean.
Please see the attached debdiff for details.
The security has been marked as no-dsa [3], therefore I would
like to upload it as proposed update.
Thanks,
Daniel Stender
[1] http://bugs.debian.org/784889
[2] http://www.danielstender.com/buildlogs/pdf2djvu_0.7.12-2+deb7u1_amd64-20150606-1546.build
[3] https://security-tracker.debian.org/tracker/source-package/pdf2djvu
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru pdf2djvu-0.7.12/debian/changelog pdf2djvu-0.7.12/debian/changelog
--- pdf2djvu-0.7.12/debian/changelog 2012-02-25 14:32:12.000000000 +0100
+++ pdf2djvu-0.7.12/debian/changelog 2015-06-06 15:38:16.000000000 +0200
@@ -1,3 +1,12 @@
+pdf2djvu (0.7.12-2+deb7u1) oldstable; urgency=medium
+
+ * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix
+ of no-dsa security issue (related bug #784889 closed by 0.7.21-1
+ in Sid).
+ * deb/rules: added empty override for dh_auto_clean.
+
+ -- Daniel Stender <debian@danielstender.com> Sat, 06 Jun 2015 15:37:38 +0200
+
pdf2djvu (0.7.12-2) unstable; urgency=low
* Add missing pkg-config build-dep (Closes: #661080)
diff -Nru pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff
--- pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 2015-06-06 15:27:39.000000000 +0200
@@ -0,0 +1,20 @@
+Description: fix for security issue
+ Prevents C44 to delete didjvu output file in /tmp or $TMPDIR
+ and create a new one during IW44 layer processing,
+ CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7
+Author: Daniel Stender <debian@danielstender.com>
+Origin: https://bitbucket.org/jwilk/pdf2djvu/commits/62c3c48098d6232f09ecabcf8d0176d42b714041
+Bug: https://bugs.debian.org/784889
+
+--- a/pdf2djvu.cc
++++ b/pdf2djvu.cc
+@@ -1537,7 +1537,8 @@
+ }
+ else if (nonwhite_background_color)
+ {
+- TemporaryFile c44_file;
++ TemporaryDirectory c44_dir;
++ TemporaryFile c44_file(c44_dir, "bg.djvu");
+ c44_file.close();
+ { /* Create solid-color PPM image with subsample ratio 12: */
+ TemporaryFile ppm_file;
diff -Nru pdf2djvu-0.7.12/debian/patches/series pdf2djvu-0.7.12/debian/patches/series
--- pdf2djvu-0.7.12/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ pdf2djvu-0.7.12/debian/patches/series 2015-06-06 15:22:54.000000000 +0200
@@ -0,0 +1 @@
+fix-insecure-use-of-tmp-when-executing-c44.diff
diff -Nru pdf2djvu-0.7.12/debian/rules pdf2djvu-0.7.12/debian/rules
--- pdf2djvu-0.7.12/debian/rules 2012-02-25 14:02:40.000000000 +0100
+++ pdf2djvu-0.7.12/debian/rules 2015-06-06 15:37:35.000000000 +0200
@@ -22,6 +22,8 @@
clean:
dh clean
+override_dh_auto_clean:
+
.PHONY: install
install: install-stamp
install-stamp: build-stamp
--- End Message ---