Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package inkscape
inkscape 0.48.3.1-1.2 contains just one fix to fix the vulnerability
CVE-2012-5656 (Debian #696485). Since this is the first NMU for
inkscape and the changes of the previous NMU have not yet been
committed to the inkscape packaging VCS [1], I am including a
set of 4 patches which constitute the changes from 0.48.3.1-1
to 0.48.3.1-1.1 and from 0.48.3.1-1.1 to 0.48.3.1-1.2.
Relevant for this unblock are the last two patches only, since
the version of inkscape in testing is 0.48.3.1-1.1. I am only
including the first two patches so that anyone is able to view
the changes as compared to HEAD of the packaging VCS [1].
Relevant bug is #696485 [2].
unblock inkscape/0.48.3.1-1.2
Cheers,
Adrian
> [1] git://git.debian.org/git/collab-maint/inkscape.git
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696485
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
>From 3a8117fa7d075eb8db0aee2fa45f59252f1cb02d Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Mon, 24 Dec 2012 00:54:40 +0100
Subject: [PATCH 1/4] - switch the libpng12-dev build dependency to libpng-dev
(Closes: #662378) - add the libpoppler-private-dev
build dependency (Closes: #660987)
---
debian/control | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index f54b02e..50990b7 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,8 @@ Build-Depends: autoconf,
liblcms1-dev,
libmagick++-dev,
libpango1.0-dev,
- libpng12-dev,
+ libpng-dev,
+ libpoppler-private-dev,
libpoppler-glib-dev,
libpopt-dev,
libsigc++-2.0-dev (>= 2.0.16-2),
--
1.7.10.4
>From 5a34d3a6f6b0b0d958710e47a4bec61b4a408ad4 Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Mon, 24 Dec 2012 00:57:42 +0100
Subject: [PATCH 2/4] Update Debian changelog for 0.48.3.1-1.1.
---
debian/changelog | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4f92cf4..d1fdf41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inkscape (0.48.3.1-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378)
+ * Add the libpoppler-private-dev build dependency (closes: #660987)
+
+ -- Pino Toscano <p...@debian.org> Fri, 15 Jun 2012 16:40:22 +0200
+
inkscape (0.48.3.1-1) unstable; urgency=low
* [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream
--
1.7.10.4
>From 0a512032d7b98b3e89201d84fb7e09d25add40e9 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Mon, 24 Dec 2012 00:58:35 +0100
Subject: [PATCH 3/4] Add Debian patch to fix vulnerability CVE-2012-5656.
---
debian/patches/03-CVE-2012-5656.diff | 75 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 76 insertions(+)
create mode 100644 debian/patches/03-CVE-2012-5656.diff
diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff
new file mode 100644
index 0000000..c787ed4
--- /dev/null
+++ b/debian/patches/03-CVE-2012-5656.diff
@@ -0,0 +1,75 @@
+From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
+Date: Sun, 23 Dec 2012 18:22:16 +0100
+Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix
+ CVE-2012-5656.
+
+---
+ src/preferences-skeleton.h | 4 ++++
+ src/ui/dialog/ocaldialogs.cpp | 10 ++++++++--
+ src/xml/repr-io.cpp | 8 +++++++-
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h
+index 32f4b7c..e4dd2c8 100644
+--- a/src/preferences-skeleton.h
++++ b/src/preferences-skeleton.h
+@@ -315,6 +315,10 @@ static char const preferences_skeleton[] =
+ " clips=\"16711935\"" // 00ff00ff
+ " masks=\"65535\"/>\n" // 0x0000ffff
+ " <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n"
++" <group id=\"externalresources\">\n"
++" <group id=\"xml\" "
++" allow_net_access=\"0\"/>\n"
++" </group>\n"
+ " <group id=\"forkgradientvectors\" value=\"1\"/>\n"
+ " <group id=\"iconrender\" named_nodelay=\"0\"/>\n"
+ " <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n"
+diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
+index 2ae7d69..63c56f7 100644
+--- a/src/ui/dialog/ocaldialogs.cpp
++++ b/src/ui/dialog/ocaldialogs.cpp
+@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback()
+ xmlDoc *doc = NULL;
+ xmlNode *root_element = NULL;
+
++ int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
++
+ doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback,
+- (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL,
+- XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
++ (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options);
+ if (doc == NULL) {
+ sp_ui_error_dialog(_("Server supplied malformed Clip Art feed"));
+ g_warning("Failed to parse %s\n", uri.c_str());
+diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp
+index fa5e9b6..088b505 100644
+--- a/src/xml/repr-io.cpp
++++ b/src/xml/repr-io.cpp
+@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns)
+ XmlSource src;
+
+ if ( (src.setFile(filename) == 0) ) {
++ int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++ Inkscape::Preferences *prefs = Inkscape::Preferences::get();
++ bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++ if (!allowNetAccess) {
++ parse_options |= XML_PARSE_NONET;
++ }
+ doc = xmlReadIO( XmlSource::readCb,
+ XmlSource::closeCb,
+ &src,
+ localFilename,
+ src.getEncoding(),
+- XML_PARSE_NOENT );
++ parse_options);
+ }
+ }
+
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 08294b7..bd4ef57 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01-fix-datamatrix-ui.dpatch
02-drop-pdf-ps.diff
+03-CVE-2012-5656.diff
--
1.7.10.4
>From b1d5c31311cd7f4113b739db99f60b53368c0cac Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Mon, 24 Dec 2012 01:00:06 +0100
Subject: [PATCH 4/4] Update Debian changelog for 0.48.3.1-1.2.
---
debian/changelog | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d1fdf41..8505588 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485).
+
+ -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de> Mon, 24 Dec 2012 00:58:56 +0100
+
inkscape (0.48.3.1-1.1) unstable; urgency=low
* Non-maintainer upload.
--
1.7.10.4
