Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hello release team, I'm propose an update of didjvu in wheezy, 0.2.3-2+deb7u1. The patch is a security fix of #784888 [1] in oldstable, applied already upstream in sid (closed by 0.4-1), and for 0.2.8-1+deb8u1. Please see the attached debdiff for details. I've build the package with Sbuild against wheezy, the buildlog is here [2]. The security team marked this as minor/non-dsa, thus I would upload this at proposed update. Thanks, Daniel Stender [1] https://bugs.debian.org/784888 [2] http://www.danielstender.com/buildlogs/didjvu_0.2.3-2+deb7u1_amd64-20150606-1848.build [3] https://security-tracker.debian.org/tracker/source-package/didjvu -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru didjvu-0.2.3/debian/changelog didjvu-0.2.3/debian/changelog --- didjvu-0.2.3/debian/changelog 2012-02-25 19:01:15.000000000 +0100 +++ didjvu-0.2.3/debian/changelog 2015-06-06 18:41:38.000000000 +0200 @@ -1,3 +1,10 @@ +didjvu (0.2.3-2+deb7u1) oldstable; urgency=medium + + * add fix-insecure-use-of-tmp-when-calling-c44.diff on security + bug #784888 (closed by 0.4-1 in sid). + + -- Daniel Stender <deb...@danielstender.com> Sat, 06 Jun 2015 18:41:01 +0200 + didjvu (0.2.3-2) unstable; urgency=low * Renamed and moved dep on xmp-toolkit from Depends to Suggests diff -Nru didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff --- didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 1970-01-01 01:00:00.000000000 +0100 +++ didjvu-0.2.3/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 2015-06-06 18:05:22.000000000 +0200 @@ -0,0 +1,83 @@ +Description: fix of security related bug + Prevents C44 to delete didjvu output file in /tmp or $TMPDIR + and create a new one during IW44 layer processing, + CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7 +Author: Daniel Stender <deb...@danielstender.com> +Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1 +Bug: https://bugs.debian.org/784888 + +--- a/lib/djvu_extra.py ++++ b/lib/djvu_extra.py +@@ -58,23 +58,23 @@ + + def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB_NORMAL): + ppm_file = temporary.file(suffix='.ppm') +- temporaries = [ppm_file] + image.save(ppm_file.name) +- djvu_file = temporary.file(suffix='.djvu', mode='r+b') +- args = [ +- 'c44', +- '-dpi', str(dpi), +- '-slice', ','.join(map(str, slices)), +- '-gamma', '%.1f' % gamma, +- '-crcb%s' % _crcb_map[crcb], +- ] +- if mask_image is not None: +- pbm_file = temporary.file(suffix='.pbm') +- mask_image.save(pbm_file.name) +- args += ['-mask', pbm_file.name] +- temporaries += [pbm_file] +- args += [ppm_file.name, djvu_file.name] +- return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries) ++ with temporary.directory() as djvu_dir: ++ args = [ ++ 'c44', ++ '-dpi', str(dpi), ++ '-slice', ','.join(map(str, slices)), ++ '-gamma', '%.1f' % gamma, ++ '-crcb%s' % _crcb_map[crcb], ++ ] ++ if mask_image is not None: ++ pbm_file = temporary.file(suffix='.pbm') ++ mask_image.save(pbm_file.name) ++ args += ['-mask', pbm_file.name] ++ djvu_path = os.path.join(djvu_dir, 'result.djvu') ++ args += [ppm_file.name, djvu_path] ++ ipc.Subprocess(args).wait() ++ return temporary.hardlink(djvu_path, suffix='.djvu') + + def djvu_to_iw44(djvu_file): + # TODO: Use Multichunk. +--- a/lib/temporary.py ++++ b/lib/temporary.py +@@ -15,6 +15,7 @@ + + import contextlib + import functools ++import os + import shutil + import tempfile + +@@ -22,6 +23,14 @@ + name = functools.partial(tempfile.mktemp, prefix='didjvu.') + wrapper = tempfile._TemporaryFileWrapper + ++def hardlink(path, suffix='', prefix='didjvu.', dir=None): ++ new_path = name(suffix=suffix, prefix=prefix, dir=dir) ++ os.link(path, new_path) ++ return wrapper( ++ open(new_path, 'r+b'), ++ new_path ++ ) ++ + @contextlib.contextmanager + def directory(*args, **kwargs): + kwargs = dict(kwargs) +@@ -32,6 +41,6 @@ + finally: + shutil.rmtree(tmpdir) + +-__all__ = ['file', 'directory', 'name', 'wrapper'] ++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper'] + + # vim:ts=4 sw=4 et diff -Nru didjvu-0.2.3/debian/patches/series didjvu-0.2.3/debian/patches/series --- didjvu-0.2.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ didjvu-0.2.3/debian/patches/series 2015-06-06 17:36:38.000000000 +0200 @@ -0,0 +1 @@ +fix-insecure-use-of-tmp-when-calling-c44.diff
