Bug#614669: vftool: diff for NMU version 2.0alpha-4.1

[Jonathan Wiltshire]

tags 614669 + patch
tags 614669 + pending
thanks

Dear maintainer,

I've prepared an NMU for vftool (versioned as 2.0alpha-4.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Note that the vulnerability fixed in this upload also applies to Squeeze
and probably Lenny, so if it is accepted I will prepare similar uploads for
those suites.

Regards.

-- 
Jonathan Wiltshire                                      j...@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -u vftool-2.0alpha/debian/changelog vftool-2.0alpha/debian/changelog
--- vftool-2.0alpha/debian/changelog
+++ vftool-2.0alpha/debian/changelog
@@ -1,3 +1,12 @@
+vftool (2.0alpha-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patch-3:
+    - fix CVE-2011-0433, a buffer overflow in linetoken() in parseAFM.c
+    Closes: #614669
+
+ -- Jonathan Wiltshire <j...@debian.org>  Wed, 29 Jun 2011 23:06:32 +0100
+
 vftool (2.0alpha-4) unstable; urgency=low
 
   * Fixed FTBFS bug with a patch by Ruben Molina <rmolina AT udea.edu.co>
diff -u vftool-2.0alpha/debian/rules vftool-2.0alpha/debian/rules
--- vftool-2.0alpha/debian/rules
+++ vftool-2.0alpha/debian/rules
@@ -28,6 +28,8 @@
 	patch -p1 < debian/patch-0
 	patch -NRp1 < debian/patch-1 || true
 	patch -p1 < debian/patch-1
+	patch -NRp1 < debian/patch-2 || true
+	patch -p1 < debian/patch-2
 	$(MAKE) mka2bkjvf
 	$(MAKE) mka2bkvf
 	$(MAKE) mkbkv2hjvf
only in patch2:
unchanged:
--- vftool-2.0alpha.orig/debian/patch-2
+++ vftool-2.0alpha/debian/patch-2
@@ -0,0 +1,21 @@
+From: Vincent Untz <vu...@gnome.org>
+Date: Thu, 17 Feb 2011 15:23:39 +0100
+Subject: [PATCH] backends: Fix another security issue in the dvi-backend
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=640923
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614669
+
+This is similar to one of the fixes from d4139205.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=640923
+
+--- vftool-2.0alpha.orig/parseAFM.c
++++ vftool-2.0alpha/parseAFM.c
+@@ -178,7 +178,7 @@
+     while ((ch = fgetc(stream)) == ' ' || ch == '\t' ); 
+     
+     idx = 0;
+-    while (ch != EOF && ch != lineterm) 
++    while (ch != EOF && ch != lineterm && idx < MAX_NAME)
+     {
+         ident[idx++] = ch;
+         ch = fgetc(stream);

signature.asc
Description: Digital signature