Bug#696915: marked as done (unblock: inkscape/0.48.3.1-1.3)

Debian Bug Tracking System Sun, 30 Dec 2012 04:42:38 -0800

Your message dated Sun, 30 Dec 2012 13:38:46 +0100
with message-id <20121230123846.gs5...@radis.cristau.org>
and subject line Re: Bug#696915: unblock: inkscape/0.48.3.1-1.2
has caused the Debian Bug report #696915,
regarding unblock: inkscape/0.48.3.1-1.3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
696915: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696915
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package inkscape

inkscape 0.48.3.1-1.2 contains just one fix to fix the vulnerability
CVE-2012-5656 (Debian #696485). Since this is the first NMU for
inkscape and the changes of the previous NMU have not yet been
committed to the inkscape packaging VCS [1], I am including a
set of 4 patches which constitute the changes from 0.48.3.1-1
to 0.48.3.1-1.1 and from 0.48.3.1-1.1 to 0.48.3.1-1.2.

Relevant for this unblock are the last two patches only, since
the version of inkscape in testing is 0.48.3.1-1.1. I am only
including the first two patches so that anyone is able to view
the changes as compared to HEAD of the packaging VCS [1].

Relevant bug is #696485 [2].

unblock inkscape/0.48.3.1-1.2

Cheers,

Adrian

> [1] git://git.debian.org/git/collab-maint/inkscape.git
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696485

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

>From 3a8117fa7d075eb8db0aee2fa45f59252f1cb02d Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Mon, 24 Dec 2012 00:54:40 +0100
Subject: [PATCH 1/4] - switch the libpng12-dev build dependency to libpng-dev
 (Closes: #662378) - add the libpoppler-private-dev
 build dependency (Closes: #660987)

---
 debian/control |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index f54b02e..50990b7 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,8 @@ Build-Depends: autoconf,
                liblcms1-dev,
                libmagick++-dev,
                libpango1.0-dev,
-               libpng12-dev,
+               libpng-dev,
+               libpoppler-private-dev,
                libpoppler-glib-dev,
                libpopt-dev,
                libsigc++-2.0-dev (>= 2.0.16-2),
-- 
1.7.10.4

>From 5a34d3a6f6b0b0d958710e47a4bec61b4a408ad4 Mon Sep 17 00:00:00 2001
From: Pino Toscano <p...@debian.org>
Date: Mon, 24 Dec 2012 00:57:42 +0100
Subject: [PATCH 2/4] Update Debian changelog for 0.48.3.1-1.1.

---
 debian/changelog |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4f92cf4..d1fdf41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+inkscape (0.48.3.1-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Switch the libpng12-dev build dependency to libpng-dev (closes: #662378)
+  * Add the libpoppler-private-dev build dependency (closes: #660987)
+
+ -- Pino Toscano <p...@debian.org>  Fri, 15 Jun 2012 16:40:22 +0200
+
 inkscape (0.48.3.1-1) unstable; urgency=low
 
   * [cb1a6e2] delete 01-libwpg0.2.dpatch since proper patch appied upstream
-- 
1.7.10.4

>From 0a512032d7b98b3e89201d84fb7e09d25add40e9 Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Mon, 24 Dec 2012 00:58:35 +0100
Subject: [PATCH 3/4] Add Debian patch to fix vulnerability CVE-2012-5656.

---
 debian/patches/03-CVE-2012-5656.diff |   75 ++++++++++++++++++++++++++++++++++
 debian/patches/series                |    1 +
 2 files changed, 76 insertions(+)
 create mode 100644 debian/patches/03-CVE-2012-5656.diff

diff --git a/debian/patches/03-CVE-2012-5656.diff b/debian/patches/03-CVE-2012-5656.diff
new file mode 100644
index 0000000..c787ed4
--- /dev/null
+++ b/debian/patches/03-CVE-2012-5656.diff
@@ -0,0 +1,75 @@
+From eaa98e6b71d66195f0ca76358b85cca64d611fd9 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
+Date: Sun, 23 Dec 2012 18:22:16 +0100
+Subject: [PATCH] Apply changes from upstream svn commit 11931 to fix
+ CVE-2012-5656.
+
+---
+ src/preferences-skeleton.h    |    4 ++++
+ src/ui/dialog/ocaldialogs.cpp |   10 ++++++++--
+ src/xml/repr-io.cpp           |    8 +++++++-
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/preferences-skeleton.h b/src/preferences-skeleton.h
+index 32f4b7c..e4dd2c8 100644
+--- a/src/preferences-skeleton.h
++++ b/src/preferences-skeleton.h
+@@ -315,6 +315,10 @@ static char const preferences_skeleton[] =
+ "           clips=\"16711935\"" // 00ff00ff
+ "           masks=\"65535\"/>\n" // 0x0000ffff
+ "    <group id=\"svgoutput\" usenamedcolors=\"0\" numericprecision=\"8\" minimumexponent=\"-8\" inlineattrs=\"0\" indent=\"2\" allowrelativecoordinates=\"1\" forcerepeatcommands=\"0\"/>\n"
++"    <group id=\"externalresources\">\n"
++"      <group id=\"xml\" "
++"           allow_net_access=\"0\"/>\n"
++"    </group>\n"
+ "    <group id=\"forkgradientvectors\" value=\"1\"/>\n"
+ "    <group id=\"iconrender\" named_nodelay=\"0\"/>\n"
+ "    <group id=\"autosave\" enable=\"0\" interval=\"10\" path=\"\" max=\"10\"/>\n"
+diff --git a/src/ui/dialog/ocaldialogs.cpp b/src/ui/dialog/ocaldialogs.cpp
+index 2ae7d69..63c56f7 100644
+--- a/src/ui/dialog/ocaldialogs.cpp
++++ b/src/ui/dialog/ocaldialogs.cpp
+@@ -468,9 +468,14 @@ void FileImportFromOCALDialog::searchTagEntryChangedCallback()
+     xmlDoc *doc = NULL;
+     xmlNode *root_element = NULL;
+ 
++    int parse_options = XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR;  // do not use XML_PARSE_NOENT ! see bug lp:1025185
++    bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++    if (!allowNetAccess) {
++        parse_options |= XML_PARSE_NONET;
++    }
++
+     doc = xmlReadIO ((xmlInputReadCallback) vfs_read_callback,
+-        (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL,
+-        XML_PARSE_RECOVER + XML_PARSE_NOWARNING + XML_PARSE_NOERROR);
++        (xmlInputCloseCallback) gnome_vfs_close, from_handle, uri.c_str(), NULL, parse_options);
+     if (doc == NULL) {
+         sp_ui_error_dialog(_("Server supplied malformed Clip Art feed"));
+         g_warning("Failed to parse %s\n", uri.c_str());
+diff --git a/src/xml/repr-io.cpp b/src/xml/repr-io.cpp
+index fa5e9b6..088b505 100644
+--- a/src/xml/repr-io.cpp
++++ b/src/xml/repr-io.cpp
+@@ -289,12 +289,18 @@ sp_repr_read_file (const gchar * filename, const gchar *default_ns)
+         XmlSource src;
+ 
+         if ( (src.setFile(filename) == 0) ) {
++	    int parse_options = XML_PARSE_HUGE; // do not use XML_PARSE_NOENT ! see bug lp:1025185
++	    Inkscape::Preferences *prefs = Inkscape::Preferences::get();
++	    bool allowNetAccess = prefs->getBool("/options/externalresources/xml/allow_net_access", false);
++	    if (!allowNetAccess) {
++	      parse_options |= XML_PARSE_NONET;
++	    }
+             doc = xmlReadIO( XmlSource::readCb,
+                              XmlSource::closeCb,
+                              &src,
+                              localFilename,
+                              src.getEncoding(),
+-                             XML_PARSE_NOENT );
++                             parse_options);
+         }
+     }
+ 
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 08294b7..bd4ef57 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 01-fix-datamatrix-ui.dpatch
 02-drop-pdf-ps.diff
+03-CVE-2012-5656.diff
-- 
1.7.10.4

>From b1d5c31311cd7f4113b739db99f60b53368c0cac Mon Sep 17 00:00:00 2001
From: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
Date: Mon, 24 Dec 2012 01:00:06 +0100
Subject: [PATCH 4/4] Update Debian changelog for 0.48.3.1-1.2.

---
 debian/changelog |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d1fdf41..8505588 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+inkscape (0.48.3.1-1.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485).
+
+ -- John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>  Mon, 24 Dec 2012 00:58:56 +0100
+
 inkscape (0.48.3.1-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
-- 
1.7.10.4

--- End Message ---

--- Begin Message ---

On Sun, Dec 30, 2012 at 00:04:16 +0100, John Paul Adrian Glaubitz wrote:

> Hi Julien,
> 
> I have built a new version 0.48.3.1-1.3 and uploaded it into unstable.
> 
XML_PARSE_NOENT vs XML_PARSE_NONET kinda makes my head spin, but hey,
unblocked.

Cheers,
Julien

signature.asc
Description: Digital signature

--- End Message ---

Bug#696915: marked as done (unblock: inkscape/0.48.3.1-1.3)

Reply via email to