Hi,
I have just uploaded inkscape 0.48.3.1-1.3 which includes a patch by
Michael Karcher to address this issue.
We have thoroughly tested the patch and the bug is now
fixed. Further checks show that the patch doesn't have any negative
impact on other areas of the script engine.
The patch makes sure that the relative file names are expanded before
they are passed to external scripts. EPS files are imported by
inkscape by means of an external Python script. The bug is caused by
the script engine assuming the filename passed is absolute and then it
changes the current working directory to the script directory first,
then into /tmp to make sure it is possible to write to disk.
I am attaching a series of patches against the git repository for the
Debian packaging [1]. The packaging repository is currently at version
0.48.3.1-1, the following three NMUs are therefore not in the
repository and I am attaching all patches necessary to update the
repository to version 0.48.3.1-1.3.
I will file an unblock request to the release team for version
0.48.3.1-1.3. The bug should be closed by my upload anytime soon.
Cheers,
Adrian
> [1] git://git.debian.org/git/collab-maint/inkscape.git
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer - glaub...@debian.org
`. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
>From fd837b10f2fb8c48a308c4a3ddba8dd79609418d Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Sat, 29 Dec 2012 18:34:12 +0100
Subject: [PATCH 1/6] - switch the libpng12-dev build dependency to libpng-dev
- add the libpoppler-private-dev build dependency
---
debian/control | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index f54b02e..50990b7 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,8 @@ Build-Depends: autoconf,
liblcms1-dev,
libmagick++-dev,
libpango1.0-dev,
- libpng12-dev,
+ libpng-dev,
+ libpoppler-private-dev,
libpoppler-glib-dev,
libpopt-dev,
libsigc++-2.0-dev (>= 2.0.16-2),
--
1.7.10.4
>From 0cc17c45fbfd0ca198d61f86a49e082f2499eaa2 Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Sat, 29 Dec 2012 19:00:14 +0100
Subject: [PATCH 2/6] Update Debian changelog for 0.48.3.1-1.1.
---
debian/changelog | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4f92cf4..d1fdf41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inkscape (0.48.3.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378)
+ * Add the libpoppler-private-dev build dependency (closes: #660987)
+
+ -- Pino Toscano <p...@debian.org> Fri, 15 Jun 2012 16:40:22 +0200
+
inkscape (0.48.3.1-1) unstable; urgency=low
* [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream
--
1.7.10.4
>From f74d957bdac1a39e62d2e12bc8dfd1e191afedaa Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:04:14 +0100
Subject: [PATCH 3/6] Add Debian patch to fix vulnerability CVE-2012-5656.
---
debian/patches/03-CVE-2012-5656.diff | 75 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 76 insertions(+)
create mode 100644 debian/patches/03-CVE-2012-5656.diff
diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff
new file mode 100644
index 0000000..c787ed4
--- /dev/null
+++ b/debian/patches/03-CVE-2012-5656.diff
@@ -0,0 +1,75 @@
+From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
+Date: Sun, 23 Dec 2012 18:22:16 +0100
+Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix
+ CVE-2012-5656.
+
+---
+ src/preferences-skeleton.h | 4 ++++
+ src/ui/dialog/ocaldialogs.cpp | 10 ++++++++--
+ src/xml/repr-io.cpp | 8 +++++++-
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h
+index 32f4b7c..e4dd2c8 100644
+--- a/src/preferences-skeleton.h
++++ b/src/preferences-skeleton.h
+@@ -315,6 +315,10 @@ static char const preferences_skeleton[] =
+ " clips=\"16711935\"" // 00ff00ff
+ " masks=\"65535\"/>\n" // 0x0000ffff
+ " <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n"
++" <group id=\"externalresources\">\n"
++" <group id=\"xml\" "
++" allow_net_access=\"0\"/>\n"
++" </group>\n"
+ " <group id=\"forkgradientvectors\" value=\"1\"/>\n"
+ " <group id=\"iconrender\" named_nodelay=\"0\"/>\n"
+ " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n"
+diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
+index 2ae7d69..63c56f7 100644
+--- a/src/ui/dialog/ocaldialogs.cpp
++++ b/src/ui/dialog/ocaldialogs.cpp
+@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback()
+ xmlDoc *doc = NULL;
+ xmlNode *root_element = NULL;
+
++ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
++
+ doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback,
+- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL,
+- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options);
+ if (doc == NULL) {
+ sp_ui_error_dialog(_("Server supplied malformed Clip Art feed"));
+ g_warning("Failed to parse %s\n", uri.c_str());
+diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp
+index fa5e9b6..088b505 100644
+--- a/src/xml/repr-io.cpp
++++ b/src/xml/repr-io.cpp
+@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns)
+ XmlSource src;
+
+ if ( (src.setFile(filename) == 0) ) {
++ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ Inkscape::Preferences *prefs = Inkscape::Preferences::get();
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
+ doc = xmlReadIO( XmlSource::readCb,
+ XmlSource::closeCb,
+ &src,
+ localFilename,
+ src.getEncoding(),
+- XML_PARSE_NOENT );
++ parse_options);
+ }
+ }
+
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 08294b7..bd4ef57 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01-fix-datamatrix-ui.dpatch
02-drop-pdf-ps.diff
+03-CVE-2012-5656.diff
--
1.7.10.4
>From 9371b35a327ec7b7d5b2201e493ac1730094643d Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:04:57 +0100
Subject: [PATCH 4/6] Update Debian changelog for 0.48.3.1-1.2.
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d1fdf41..8505588 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485).
+
+ -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> Mon, 24 Dec 2012 00:58:56 +0100
+
inkscape (0.48.3.1-1.1) unstable; urgency=low
* Non-maintainer upload.
--
1.7.10.4
>From 8cf685832e55916a8b2a3ddc3c984ecb12c5d238 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:14:56 +0100
Subject: [PATCH 5/6] Add patch to fix upstream vulnerability LP#911146.
---
debian/patches/04-fix-LP911146.diff | 32 ++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 33 insertions(+)
create mode 100644 debian/patches/04-fix-LP911146.diff
diff --git a/debian/patches/04-fix-LP911146.diff b/debian/patches/04-fix-LP911146.diff
new file mode 100644
index 0000000..8ef1286
--- /dev/null
+++ b/debian/patches/04-fix-LP911146.diff
@@ -0,0 +1,32 @@
+From: Michael Karcher <deb...@mkarcher.dialup.fu-berlin.de>
+Date: Sat, 29 Dec 2012 17:33:33 +0100
+Subject: Fix LP: #911146 relative filename vulnerability
+
+Ensures that filenames passed to extensions are made absolute before
+changing the current working directory.
+---
+ src/extension/implementation/script.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/extension/implementation/script.cpp b/src/extension/implementation/script.cpp
+index b78fbda..02c3aeb 100644
+--- a/src/extension/implementation/script.cpp
++++ b/src/extension/implementation/script.cpp
+@@ -954,7 +954,14 @@ int Script::execute (const std::list<std::string> &in_command,
+ // assemble the rest of argv
+ std::copy(in_params.begin(), in_params.end(), std::back_inserter(argv));
+ if (!filein.empty()) {
+- argv.push_back(filein);
++ if(Glib::path_is_absolute(filein))
++ argv.push_back(filein);
++ else {
++ std::vector<std::string> buildargs;
++ buildargs.push_back(Glib::get_current_dir());
++ buildargs.push_back(filein);
++ argv.push_back(Glib::build_filename(buildargs));
++ }
+ }
+
+ int stdout_pipe, stderr_pipe;
+
+-- 1.7.10.4
diff --git a/debian/patches/series b/debian/patches/series
index bd4ef57..d454438 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
01-fix-datamatrix-ui.dpatch
02-drop-pdf-ps.diff
03-CVE-2012-5656.diff
+04-fix-LP911146.diff
--
1.7.10.4
>From 70d905765fd7e37c99b2e30cb4d9b95063578b74 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Sat, 29 Dec 2012 19:18:17 +0100
Subject: [PATCH 6/6] Update Debian changelog for 0.48.3.1-1.3.
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 8505588..0b42ef4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.3) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add Debian patch to fix relative filename vulnerability (Closes: #654341).
+
+ -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> Sat, 29 Dec 2012 19:15:46 +0100
+
inkscape (0.48.3.1-1.2) unstable; urgency=low
* Non-maintainer upload.
--
1.7.10.4
