Bug#614668: evince: diff for NMU version 2.30.3-3.1

Jonathan Wiltshire Wed, 29 Jun 2011 15:00:23 -0700

tags 614668 + patch
tags 614668 + pending
thanks

Dear maintainer,


I've prepared an NMU for evince (versioned as 2.30.3-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Note that the vulnerability fixed in this upload also applies to Squeeze
and probably Lenny, so if it is accepted I will prepare similar uploads for
those suites.

Regards.

-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -Nru evince-2.30.3/debian/changelog evince-2.30.3/debian/changelog
--- evince-2.30.3/debian/changelog	2011-02-16 21:23:44.000000000 +0000
+++ evince-2.30.3/debian/changelog	2011-06-29 22:33:26.000000000 +0100
@@ -1,3 +1,12 @@
+evince (2.30.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches/03_CVE-2011-0433.patch:
+    - fix CVE-2011-0433, a buffer overflow in token() in afmparse.c
+    Closes: #614668
+
+ -- Jonathan Wiltshire <j...@debian.org>  Wed, 29 Jun 2011 22:19:33 +0100
+
 evince (2.30.3-3) unstable; urgency=low
 
   [ Josselin Mouette ]
diff -Nru evince-2.30.3/debian/patches/03_CVE-2011-0433.patch evince-2.30.3/debian/patches/03_CVE-2011-0433.patch
--- evince-2.30.3/debian/patches/03_CVE-2011-0433.patch	1970-01-01 01:00:00.000000000 +0100
+++ evince-2.30.3/debian/patches/03_CVE-2011-0433.patch	2011-06-29 22:33:26.000000000 +0100
@@ -0,0 +1,25 @@
+From: Vincent Untz <vu...@gnome.org>
+Date: Thu, 17 Feb 2011 15:23:39 +0100
+Subject: [PATCH] backends: Fix another security issue in the dvi-backend
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=640923
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614668
+
+This is similar to one of the fixes from d4139205.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=640923
+---
+ backend/dvi/mdvi-lib/afmparse.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+
+--- evince-2.30.3.orig/backend/dvi/mdvi-lib/afmparse.c
++++ evince-2.30.3/backend/dvi/mdvi-lib/afmparse.c
+@@ -190,7 +190,7 @@
+     while ((ch = fgetc(stream)) == ' ' || ch == '\t' ); 
+     
+     idx = 0;
+-    while (ch != EOF && ch != lineterm) 
++    while (ch != EOF && ch != lineterm && idx < MAX_NAME)
+     {
+         ident[idx++] = ch;
+         ch = fgetc(stream);
diff -Nru evince-2.30.3/debian/patches/series evince-2.30.3/debian/patches/series
--- evince-2.30.3/debian/patches/series	2011-02-16 21:23:44.000000000 +0000
+++ evince-2.30.3/debian/patches/series	2011-06-29 22:33:26.000000000 +0100
@@ -1,2 +1,3 @@
 01_dvi_security.patch
 02_link_ice.patch
+03_CVE-2011-0433.patch

signature.asc
Description: Digital signature

Bug#614668: evince: diff for NMU version 2.30.3-3.1

Reply via email to