Control: retitle -1 [CVE-2012-6076] inkscape reads .eps files from /tmp instead of the current directory Control: retitle 696915 unblock: inkscape/0.48.3.1-1.3
Hi On Sat, Dec 29, 2012 at 09:48:42PM +0100, John Paul Adrian Glaubitz wrote: > Hi, > > I have just uploaded inkscape 0.48.3.1-1.3 which includes a patch by > Michael Karcher to address this issue. > > We have thoroughly tested the patch and the bug is now > fixed. Further checks show that the patch doesn't have any negative > impact on other areas of the script engine. > > The patch makes sure that the relative file names are expanded before > they are passed to external scripts. EPS files are imported by > inkscape by means of an external Python script. The bug is caused by > the script engine assuming the filename passed is absolute and then it > changes the current working directory to the script directory first, > then into /tmp to make sure it is possible to write to disk. > > I am attaching a series of patches against the git repository for the > Debian packaging [1]. The packaging repository is currently at version > 0.48.3.1-1, the following three NMUs are therefore not in the > repository and I am attaching all patches necessary to update the > repository to version 0.48.3.1-1.3. Thanks for your update. It was assigned now a CVE for this issue: CVE-2012-6076. Regards, Salvatore
signature.asc
Description: Digital signature
