Bug#819362: wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#819362: wheezy-pu: package gtk+3.0/3.4.2-7+deb7u1
From: Guido Günther <agx@sigxcpu.org>
Date: Sun, 27 Mar 2016 17:15:26 +0200
Message-id: <[🔎] 20160327151526.GA25384@bogon.m.sigxcpu.org>
Reply-to: Guido Günther <agx@sigxcpu.org>, 819362@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,
I'd like to upate gtk+3.0 in wheezy to fix CVE-2013-7447.patch with the
attached debiff. Wheezy is currnelty the only unfixed gtk+3.0 version.

Cheers,
 -- Guido

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index 999a883..37c3d67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+gtk+3.0 (3.4.2-7+deb7u1) oldstable-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2013-7447.patch: Avoid integer overflow when allocating a large block
+    of memory in gdk_cairo_set_source_pixbuf (Closes: #818090)
+
+ -- Guido Günther <agx@sigxcpu.org>  Sun, 13 Mar 2016 16:22:28 +0100
+
 gtk+3.0 (3.4.2-7) stable; urgency=low
 
   [ Raphaël Geissert ]
diff --git a/debian/patches/CVE-2013-7447.patch b/debian/patches/CVE-2013-7447.patch
new file mode 100644
index 0000000..cb851a2
--- /dev/null
+++ b/debian/patches/CVE-2013-7447.patch
@@ -0,0 +1,24 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sun, 13 Mar 2016 15:38:37 +0100
+Subject: CVE-2013-7447
+
+Cherry-pick of upstream commit
+
+https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6
+---
+ gdk/gdkcairo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk/gdkcairo.c b/gdk/gdkcairo.c
+index 19bed04..2e1d8dc 100644
+--- a/gdk/gdkcairo.c
++++ b/gdk/gdkcairo.c
+@@ -213,7 +213,7 @@ gdk_cairo_set_source_pixbuf (cairo_t         *cr,
+     format = CAIRO_FORMAT_ARGB32;
+ 
+   cairo_stride = cairo_format_stride_for_width (format, width);
+-  cairo_pixels = g_malloc (height * cairo_stride);
++  cairo_pixels = g_malloc_n (height, cairo_stride);
+   surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
+                                                  format,
+                                                  width, height, cairo_stride);
diff --git a/debian/patches/series b/debian/patches/series
index e9942cf..866e6e9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 074_try-harder-to-discriminate-Shift-F10-and-F10.patch
 075_gtkplug-fix-handling-of-key-events-for-layouts.patch
 076_check_wm_supports_hint.patch
+CVE-2013-7447.patch

Reply to:

Prev by Date: NEW changes in oldstable-new
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#819326: jessie-pu: package postgresql-common/165+deb8u1
Next by thread: Bug#819409: jessie-pu: package: torbrowser-launcher/0.1.9-1+deb8u3
Index(es):
- Date
- Thread