Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hello Debian release, I propose an update of pdf2djvu in Wheezy, 0.7.12-2+deb7u1. The patch is a security fix of #784889, already applied in Sid (closed by 0.7.21-1) and Jessie. I've build with Sbuild against oldstable, please see the buildlog here [2]. To prevent the execution of make distclean which fails I've also just added an empty override for dh_auto_clean. Please see the attached debdiff for details. The security has been marked as no-dsa [3], therefore I would like to upload it as proposed update. Thanks, Daniel Stender [1] http://bugs.debian.org/784889 [2] http://www.danielstender.com/buildlogs/pdf2djvu_0.7.12-2+deb7u1_amd64-20150606-1546.build [3] https://security-tracker.debian.org/tracker/source-package/pdf2djvu -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru pdf2djvu-0.7.12/debian/changelog pdf2djvu-0.7.12/debian/changelog --- pdf2djvu-0.7.12/debian/changelog 2012-02-25 14:32:12.000000000 +0100 +++ pdf2djvu-0.7.12/debian/changelog 2015-06-06 15:38:16.000000000 +0200 @@ -1,3 +1,12 @@ +pdf2djvu (0.7.12-2+deb7u1) oldstable; urgency=medium + + * added fix-insecure-use-of-tmp-when-executing-c44.diff, fix + of no-dsa security issue (related bug #784889 closed by 0.7.21-1 + in Sid). + * deb/rules: added empty override for dh_auto_clean. + + -- Daniel Stender <deb...@danielstender.com> Sat, 06 Jun 2015 15:37:38 +0200 + pdf2djvu (0.7.12-2) unstable; urgency=low * Add missing pkg-config build-dep (Closes: #661080) diff -Nru pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff --- pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 1970-01-01 01:00:00.000000000 +0100 +++ pdf2djvu-0.7.12/debian/patches/fix-insecure-use-of-tmp-when-executing-c44.diff 2015-06-06 15:27:39.000000000 +0200 @@ -0,0 +1,20 @@ +Description: fix for security issue + Prevents C44 to delete didjvu output file in /tmp or $TMPDIR + and create a new one during IW44 layer processing, + CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7 +Author: Daniel Stender <deb...@danielstender.com> +Origin: https://bitbucket.org/jwilk/pdf2djvu/commits/62c3c48098d6232f09ecabcf8d0176d42b714041 +Bug: https://bugs.debian.org/784889 + +--- a/pdf2djvu.cc ++++ b/pdf2djvu.cc +@@ -1537,7 +1537,8 @@ + } + else if (nonwhite_background_color) + { +- TemporaryFile c44_file; ++ TemporaryDirectory c44_dir; ++ TemporaryFile c44_file(c44_dir, "bg.djvu"); + c44_file.close(); + { /* Create solid-color PPM image with subsample ratio 12: */ + TemporaryFile ppm_file; diff -Nru pdf2djvu-0.7.12/debian/patches/series pdf2djvu-0.7.12/debian/patches/series --- pdf2djvu-0.7.12/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ pdf2djvu-0.7.12/debian/patches/series 2015-06-06 15:22:54.000000000 +0200 @@ -0,0 +1 @@ +fix-insecure-use-of-tmp-when-executing-c44.diff diff -Nru pdf2djvu-0.7.12/debian/rules pdf2djvu-0.7.12/debian/rules --- pdf2djvu-0.7.12/debian/rules 2012-02-25 14:02:40.000000000 +0100 +++ pdf2djvu-0.7.12/debian/rules 2015-06-06 15:37:35.000000000 +0200 @@ -22,6 +22,8 @@ clean: dh clean +override_dh_auto_clean: + .PHONY: install install: install-stamp install-stamp: build-stamp
