Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
I propose an update of didjvu in jessie, 0.2.8-1+deb8u1 The patch is a security fix of #784888 in stable. Please see the attached debdiff for details. The issue is marked as minor/no-dsa, so I would upload it to stable as proposed update. Thank you, Daniel Stender -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru didjvu-0.2.8/debian/changelog didjvu-0.2.8/debian/changelog --- didjvu-0.2.8/debian/changelog 2014-06-19 11:18:11.000000000 +0200 +++ didjvu-0.2.8/debian/changelog 2015-05-13 22:38:11.000000000 +0200 @@ -1,3 +1,11 @@ +didjvu (0.2.8-1+deb8u1) stable; urgency=medium + + * add fix-insecure-use-of-tmp-when-calling-c44.diff, fix + of security issue TEMP-0784889-495CCA, see #784888 (closed + in Sid by 0.4-1). + + -- Daniel Stender <deb...@danielstender.com> Wed, 13 May 2015 22:38:00 +0200 + didjvu (0.2.8-1) unstable; urgency=low * New upstream release (Closes: #743677). diff -Nru didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff --- didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 1970-01-01 01:00:00.000000000 +0100 +++ didjvu-0.2.8/debian/patches/fix-insecure-use-of-tmp-when-calling-c44.diff 2015-05-13 22:32:13.000000000 +0200 @@ -0,0 +1,83 @@ +Description: fix for security issue TEMP-0784889-495CCA + CVE request: http://www.openwall.com/lists/oss-security/2015/05/09/7 +Author: Daniel Stender <deb...@danielstender.com> +Origin: https://bitbucket.org/jwilk/didjvu/commits/c975bca6dfc67bfcec8ad32ac64a7516a18379f1 +Bug: https://bugs.debian.org/784888 + +--- a/lib/djvu_extra.py ++++ b/lib/djvu_extra.py +@@ -76,25 +76,25 @@ + + def photo_to_djvu(image, dpi=100, slices=IW44_SLICES_DEFAULT, gamma=2.2, mask_image=None, crcb=CRCB.normal): + ppm_file = temporary.file(suffix='.ppm') +- temporaries = [ppm_file] + image.save(ppm_file.name) +- djvu_file = temporary.file(suffix='.djvu', mode='r+b') + if not isinstance(crcb, Crcb): + raise TypeError +- args = [ +- 'c44', +- '-dpi', str(dpi), +- '-slice', ','.join(map(str, slices)), +- '-gamma', '%.1f' % gamma, +- '-crcb%s' % crcb, +- ] +- if mask_image is not None: +- pbm_file = temporary.file(suffix='.pbm') +- mask_image.save(pbm_file.name) +- args += ['-mask', pbm_file.name] +- temporaries += [pbm_file] +- args += [ppm_file.name, djvu_file.name] +- return ipc.Proxy(djvu_file, ipc.Subprocess(args).wait, temporaries) ++ with temporary.directory() as djvu_dir: ++ args = [ ++ 'c44', ++ '-dpi', str(dpi), ++ '-slice', ','.join(map(str, slices)), ++ '-gamma', '%.1f' % gamma, ++ '-crcb%s' % crcb, ++ ] ++ if mask_image is not None: ++ pbm_file = temporary.file(suffix='.pbm') ++ mask_image.save(pbm_file.name) ++ args += ['-mask', pbm_file.name] ++ djvu_path = os.path.join(djvu_dir, 'result.djvu') ++ args += [ppm_file.name, djvu_path] ++ ipc.Subprocess(args).wait() ++ return temporary.hardlink(djvu_path, suffix='.djvu') + + def djvu_to_iw44(djvu_file): + # TODO: Use Multichunk. +--- a/lib/temporary.py ++++ b/lib/temporary.py +@@ -15,6 +15,7 @@ + + import contextlib + import functools ++import os + import shutil + import tempfile + +@@ -22,6 +23,14 @@ + name = functools.partial(tempfile.mktemp, prefix='didjvu.') + wrapper = tempfile._TemporaryFileWrapper + ++def hardlink(path, suffix='', prefix='didjvu.', dir=None): ++ new_path = name(suffix=suffix, prefix=prefix, dir=dir) ++ os.link(path, new_path) ++ return wrapper( ++ open(new_path, 'r+b'), ++ new_path ++ ) ++ + @contextlib.contextmanager + def directory(*args, **kwargs): + kwargs = dict(kwargs) +@@ -32,6 +41,6 @@ + finally: + shutil.rmtree(tmpdir) + +-__all__ = ['file', 'directory', 'name', 'wrapper'] ++__all__ = ['file', 'hardlink', 'directory', 'name', 'wrapper'] + + # vim:ts=4 sw=4 et diff -Nru didjvu-0.2.8/debian/patches/series didjvu-0.2.8/debian/patches/series --- didjvu-0.2.8/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ didjvu-0.2.8/debian/patches/series 2015-05-13 21:01:42.000000000 +0200 @@ -0,0 +1 @@ +fix-insecure-use-of-tmp-when-calling-c44.diff