Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: freeze-exception
unblock libpng/1.2.49-2 Please unblock libpng (with udeb binary package). Upstream released libpng 1.2.50 to fix CVE-2012-3386 recently. I extracted the relevant change. The debdiff is below. debdiff libpng_1.2.49-1.dsc libpng_1.2.49-2.dsc diff -Nru libpng-1.2.49/debian/changelog libpng-1.2.49/debian/changelog --- libpng-1.2.49/debian/changelog 2012-04-09 12:14:09.000000000 +1000 +++ libpng-1.2.49/debian/changelog 2012-07-13 12:33:03.000000000 +1000 @@ -1,3 +1,11 @@ +libpng (1.2.49-2) unstable; urgency=high + + * Change "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386 + Add 02-681408-CVE-2012-3386-Makefile.in.patch + Closes: #681408 + + -- Anibal Monsalve Salazar <ani...@debian.org> Fri, 13 Jul 2012 12:31:39 +1000 + libpng (1.2.49-1) unstable; urgency=high * New upstream version 1.2.49 diff -Nru libpng-1.2.49/debian/patches/02-681408-CVE-2012-3386-Makefile.in.patch libpng-1.2.49/debian/patches/02-681408-CVE-2012-3386-Makefile.in.patch --- libpng-1.2.49/debian/patches/02-681408-CVE-2012-3386-Makefile.in.patch 1970-01-01 10:00:00.000000000 +1000 +++ libpng-1.2.49/debian/patches/02-681408-CVE-2012-3386-Makefile.in.patch 2012-07-13 12:30:58.000000000 +1000 @@ -0,0 +1,18 @@ +http://bugs.debian.org/681408 +http://security-tracker.debian.org/tracker/CVE-2012-3386 +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3386 + +Change "a+w" to "u+w" in Makefile.in to fix CVE-2012-3386 + +diff -urNp libpng-1.2.49/Makefile.in libpng-1.2.50/Makefile.in +--- a/Makefile.in 2012-03-29 15:47:09.000000000 +1100 ++++ b/Makefile.in 2012-07-10 10:37:13.000000000 +1000 +@@ -1146,7 +1146,7 @@ distcheck: dist + *.zip*) \ + unzip $(distdir).zip ;;\ + esac +- chmod -R a-w $(distdir); chmod a+w $(distdir) ++ chmod -R a-w $(distdir); chmod u+w $(distdir) + mkdir $(distdir)/_build + mkdir $(distdir)/_inst + chmod a-w $(distdir) diff -Nru libpng-1.2.49/debian/patches/series libpng-1.2.49/debian/patches/series --- libpng-1.2.49/debian/patches/series 2012-04-09 12:07:32.000000000 +1000 +++ libpng-1.2.49/debian/patches/series 2012-07-13 12:33:17.000000000 +1000 @@ -1 +1,2 @@ 01-legacy.patch +02-681408-CVE-2012-3386-Makefile.in.patch -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org