Hello,
after having a few problems building Inkscape (due to missing
libpoppler-private-dev as I checked out the Debian packaging source
from the git repository [1]), I managed to build Inkscape with my
patch (which also required an additional review).
I have committed all changes (including the previous NMU by Pino
Toscano) to the Debian packaging repository [1] and created patches
with git format-patch which can directly be applied, please find the
attached patches. Pino didn't seem to have his changes sent to the
Debian package maintainers of Inkscape (which is why his NMU doesn't
show up in the repository). Also, he made some changes to the previous
entry to the Debian changelog which I ignored such that the changelog
will continue where the original Debian maintainer left.
I have also attached my patch to fix CVE-2012-5656 as well and have
verified my changes to work with the demonstration from [2], Inkscape
is no longer vulnerable with my patch. It would still be nice if
someone could review the patch, however. Just to be double-safe.
In order to speed things up a bit, I have created an NMU and uploaded
my fixed package to the DELAYED queue with a delay of 5 days
[3]. Please feel free to remove the package from the queue if you are
unhappy with the changes.
PS: The Inkscape package contains lots of lintian warnings/errors
which should be addressed in future uploads.
Cheers,
Adrian
> [1] git://git.debian.org/git/collab-maint/inkscape.git
> [2] https://bugs.launchpad.net/inkscape/+bug/1025185
> [3] http://ftp-master.debian.org/deferred.html
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaub...@debian.org
`. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>From 3a8117fa7d075eb8db0aee2fa45f59252f1cb02d Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Mon, 24 Dec 2012 00:54:40 +0100
Subject: [PATCH 1/4] - switch the libpng12-dev build dependency to libpng-dev
(Closes: #662378) - add the libpoppler-private-dev
build dependency (Closes: #660987)
---
debian/control | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index f54b02e..50990b7 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,8 @@ Build-Depends: autoconf,
liblcms1-dev,
libmagick++-dev,
libpango1.0-dev,
- libpng12-dev,
+ libpng-dev,
+ libpoppler-private-dev,
libpoppler-glib-dev,
libpopt-dev,
libsigc++-2.0-dev (>= 2.0.16-2),
--
1.7.10.4
>From 5a34d3a6f6b0b0d958710e47a4bec61b4a408ad4 Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Mon, 24 Dec 2012 00:57:42 +0100
Subject: [PATCH 2/4] Update Debian changelog for 0.48.3.1-1.1.
---
debian/changelog | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4f92cf4..d1fdf41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inkscape (0.48.3.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378)
+ * Add the libpoppler-private-dev build dependency (closes: #660987)
+
+ -- Pino Toscano <p...@debian.org> Fri, 15 Jun 2012 16:40:22 +0200
+
inkscape (0.48.3.1-1) unstable; urgency=low
* [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream
--
1.7.10.4
>From 0a512032d7b98b3e89201d84fb7e09d25add40e9 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Mon, 24 Dec 2012 00:58:35 +0100
Subject: [PATCH 3/4] Add Debian patch to fix vulnerability CVE-2012-5656.
---
debian/patches/03-CVE-2012-5656.diff | 75 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 76 insertions(+)
create mode 100644 debian/patches/03-CVE-2012-5656.diff
diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff
new file mode 100644
index 0000000..c787ed4
--- /dev/null
+++ b/debian/patches/03-CVE-2012-5656.diff
@@ -0,0 +1,75 @@
+From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
+Date: Sun, 23 Dec 2012 18:22:16 +0100
+Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix
+ CVE-2012-5656.
+
+---
+ src/preferences-skeleton.h | 4 ++++
+ src/ui/dialog/ocaldialogs.cpp | 10 ++++++++--
+ src/xml/repr-io.cpp | 8 +++++++-
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h
+index 32f4b7c..e4dd2c8 100644
+--- a/src/preferences-skeleton.h
++++ b/src/preferences-skeleton.h
+@@ -315,6 +315,10 @@ static char const preferences_skeleton[] =
+ " clips=\"16711935\"" // 00ff00ff
+ " masks=\"65535\"/>\n" // 0x0000ffff
+ " <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n"
++" <group id=\"externalresources\">\n"
++" <group id=\"xml\" "
++" allow_net_access=\"0\"/>\n"
++" </group>\n"
+ " <group id=\"forkgradientvectors\" value=\"1\"/>\n"
+ " <group id=\"iconrender\" named_nodelay=\"0\"/>\n"
+ " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n"
+diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
+index 2ae7d69..63c56f7 100644
+--- a/src/ui/dialog/ocaldialogs.cpp
++++ b/src/ui/dialog/ocaldialogs.cpp
+@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback()
+ xmlDoc *doc = NULL;
+ xmlNode *root_element = NULL;
+
++ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
++
+ doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback,
+- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL,
+- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options);
+ if (doc == NULL) {
+ sp_ui_error_dialog(_("Server supplied malformed Clip Art feed"));
+ g_warning("Failed to parse %s\n", uri.c_str());
+diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp
+index fa5e9b6..088b505 100644
+--- a/src/xml/repr-io.cpp
++++ b/src/xml/repr-io.cpp
+@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns)
+ XmlSource src;
+
+ if ( (src.setFile(filename) == 0) ) {
++ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ Inkscape::Preferences *prefs = Inkscape::Preferences::get();
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
+ doc = xmlReadIO( XmlSource::readCb,
+ XmlSource::closeCb,
+ &src,
+ localFilename,
+ src.getEncoding(),
+- XML_PARSE_NOENT );
++ parse_options);
+ }
+ }
+
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 08294b7..bd4ef57 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01-fix-datamatrix-ui.dpatch
02-drop-pdf-ps.diff
+03-CVE-2012-5656.diff
--
1.7.10.4
>From b1d5c31311cd7f4113b739db99f60b53368c0cac Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Mon, 24 Dec 2012 01:00:06 +0100
Subject: [PATCH 4/4] Update Debian changelog for 0.48.3.1-1.2.
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d1fdf41..8505588 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485).
+
+ -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> Mon, 24 Dec 2012 00:58:56 +0100
+
inkscape (0.48.3.1-1.1) unstable; urgency=low
* Non-maintainer upload.
--
1.7.10.4
>From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Sun, 23 Dec 2012 18:22:16 +0100
Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix
CVE-2012-5656.
---
src/preferences-skeleton.h | 4 ++++
src/ui/dialog/ocaldialogs.cpp | 10 ++++++++--
src/xml/repr-io.cpp | 8 +++++++-
3 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h
index 32f4b7c..e4dd2c8 100644
--- a/src/preferences-skeleton.h
+++ b/src/preferences-skeleton.h
@@ -315,6 +315,10 @@ static char const preferences_skeleton[] =
" clips=\"16711935\"" // 00ff00ff
" masks=\"65535\"/>\n" // 0x0000ffff
" <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n"
+" <group id=\"externalresources\">\n"
+" <group id=\"xml\" "
+" allow_net_access=\"0\"/>\n"
+" </group>\n"
" <group id=\"forkgradientvectors\" value=\"1\"/>\n"
" <group id=\"iconrender\" named_nodelay=\"0\"/>\n"
" <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n"
diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
index 2ae7d69..63c56f7 100644
--- a/src/ui/dialog/ocaldialogs.cpp
+++ b/src/ui/dialog/ocaldialogs.cpp
@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback()
xmlDoc *doc = NULL;
xmlNode *root_element = NULL;
+ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185
+ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
+ if (!allowNetAccess) {
+ parse_options |= XML_PARSE_NONET;
+ }
+
doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback,
- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL,
- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
+ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options);
if (doc == NULL) {
sp_ui_error_dialog(_("Server supplied malformed Clip Art feed"));
g_warning("Failed to parse %s\n", uri.c_str());
diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp
index fa5e9b6..088b505 100644
--- a/src/xml/repr-io.cpp
+++ b/src/xml/repr-io.cpp
@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns)
XmlSource src;
if ( (src.setFile(filename) == 0) ) {
+ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185
+ Inkscape::Preferences *prefs = Inkscape::Preferences::get();
+ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
+ if (!allowNetAccess) {
+ parse_options |= XML_PARSE_NONET;
+ }
doc = xmlReadIO( XmlSource::readCb,
XmlSource::closeCb,
&src,
localFilename,
src.getEncoding(),
- XML_PARSE_NOENT );
+ parse_options);
}
}
--
1.7.10.4
