Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-25 Thread Adam D. Barratt 
Control: tags -1 + pending

On Thu, 2016-03-24 at 22:17 +0100, Markus Frosch wrote:
> On 23.03.2016 21:13, Adam D. Barratt wrote:
> > I'd prefer a slightly more verbose changelog if possible, in terms of
> > the actual issues. In any case, please go ahead.
> 
> I've updated changelog and uploaded to jessie.

Flagged for acceptance.

Regards,

Adam

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-24 Thread Markus Frosch 
On 23.03.2016 21:13, Adam D. Barratt wrote:
> I'd prefer a slightly more verbose changelog if possible, in terms of
> the actual issues. In any case, please go ahead.

I've updated changelog and uploaded to jessie.

RM request #816037 should be closed, since its superseeded by this upload.

Thanks :)
Markus
-- 
mar...@lazyfrosch.de / lazyfro...@debian.org
http://www.lazyfrosch.de



signature.asc
Description: OpenPGP digital signature

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-24 Thread Adam D. Barratt 
On Thu, 2016-03-24 at 22:17 +0100, Markus Frosch wrote:
> RM request #816037 should be closed, since its superseeded by this upload.

It was, yesterday.

Regards,

Adam

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-23 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2016-03-19 at 18:44 +0100, Markus Frosch wrote:
> On 19.03.2016 17:57, Julien Cristau wrote:
> > Yes please.
> 
> Here is the current debdiff.

+php-dompdf (0.6.1+dfsg-2+deb8u1) stable-proposed-updates; urgency=medium

"jessie" is preferable.

+  * Non-maintainer upload.
+  * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849)
+
+Fixes CVE:
+* CVE-2014-5011
+* CVE-2014-5012
+* CVE-2014-5013
+
+This update bundles CVE hotfixes from 0.6.2 upstream release.

I'd prefer a slightly more verbose changelog if possible, in terms of
the actual issues. In any case, please go ahead.

Regards,

Adam

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-19 Thread Markus Frosch 
On 19.03.2016 17:57, Julien Cristau wrote:
> Yes please.

Here is the current debdiff.

Cheers
Markus Frosch
-- 
mar...@lazyfrosch.de / lazyfro...@debian.org
http://www.lazyfrosch.de
diff -Nru php-dompdf-0.6.1+dfsg/debian/changelog 
php-dompdf-0.6.1+dfsg/debian/changelog
--- php-dompdf-0.6.1+dfsg/debian/changelog  2014-04-23 21:24:29.0 
+0200
+++ php-dompdf-0.6.1+dfsg/debian/changelog  2016-03-19 18:42:01.0 
+0100
@@ -1,3 +1,17 @@
+php-dompdf (0.6.1+dfsg-2+deb8u1) stable-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849)
+
+Fixes CVE:
+* CVE-2014-5011
+* CVE-2014-5012
+* CVE-2014-5013
+
+This update bundles CVE hotfixes from 0.6.2 upstream release.
+
+ -- Markus Frosch   Sat, 19 Mar 2016 18:40:34 +0100
+
 php-dompdf (0.6.1+dfsg-2) unstable; urgency=medium
 
   * Document security issue fixed in last upstream version, and upload to
diff -Nru php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch 
php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch
--- php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch
1970-01-01 01:00:00.0 +0100
+++ php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch
2016-03-19 18:36:53.0 +0100
@@ -0,0 +1,713 @@
+Description: Hotfix based on 0.6.2
+ This patch fixes:
+ * CVE-2014-2383
+ * CVE-2014-5011
+ * CVE-2014-5012
+ * CVE-2014-5013
+ .
+ The patch bundles code changes from 0.6.2
+Author: Brian Sweeney 
+Origin: upstream
+Applied-Upstream: 0.6.2
+Reviewed-by: Markus Frosch 
+Last-Update: 2016-02-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dompdf.php
 b/dompdf.php
+@@ -130,6 +130,8 @@
+ $sapi = php_sapi_name();
+ $options = array();
+ 
++$dompdf = new DOMPDF();
++
+ switch ( $sapi ) {
+ 
+  case "cli":
+@@ -169,7 +171,7 @@
+ if ( $file === "-" )
+   $outfile = "dompdf_out.pdf";
+ else
+-  $outfile = str_ireplace(array(".html", ".htm", ".php"), "", $file) . 
".pdf";
++  $outfile = str_ireplace(array(".html", ".htm"), "", $file) . ".pdf";
+   }
+ 
+   if ( isset($opts["v"]) )
+@@ -194,6 +196,8 @@
+ 
+  default:
+ 
++  $dompdf->set_option('enable_php', false);
++  
+   if ( isset($_GET["input_file"]) )
+ $file = rawurldecode($_GET["input_file"]);
+   else
+@@ -220,26 +224,12 @@
+   
+   $file_parts = explode_url($file);
+   
+-  /* Check to see if the input file is local and, if so, that the base path 
falls within that specified by DOMDPF_CHROOT */
+-  if(($file_parts['protocol'] == '' || $file_parts['protocol'] === 
'file://')) {
+-$file = realpath($file);
+-if ( strpos($file, DOMPDF_CHROOT) !== 0 ) {
+-  throw new DOMPDF_Exception("Permission denied on $file. The file could 
not be found under the directory specified by DOMPDF_CHROOT.");
+-}
+-  }
+-  
+-  if($file_parts['protocol'] === 'php://') {
+-throw new DOMPDF_Exception("Permission denied on $file. This script does 
not allow PHP streams.");
+-  }
+-  
+   $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file
+   $save_file = false; # Don't save the file
+   
+   break;
+ }
+ 
+-$dompdf = new DOMPDF();
+-
+ if ( $file === "-" ) {
+   $str = "";
+   while ( !feof(STDIN) )
+--- a/dompdf_config.custom.inc.php
 b/dompdf_config.custom.inc.php
+@@ -1,6 +1,7 @@
+-https://github.com/dompdf/dompdf/wiki
++ */
++//define("DOMPDF_CHROOT", DOMPDF_DIR);
++//define("DOMPDF_ENABLE_PHP", false);
++//define("DOMPDF_ENABLE_REMOTE", false);
+--- a/include/abstract_renderer.cls.php
 b/include/abstract_renderer.cls.php
+@@ -100,7 +100,7 @@
+ //Therefore read dimension directly from file, instead of creating gd 
object first.
+ //$img_w = imagesx($src); $img_h = imagesy($src);
+ 
+-list($img_w, $img_h) = dompdf_getimagesize($img);
++list($img_w, $img_h) = dompdf_getimagesize($img, 
$this->_dompdf->get_http_context());
+ if (!isset($img_w) || $img_w == 0 || !isset($img_h) || $img_h == 0) {
+   return;
+ }
+--- a/include/cpdf_adapter.cls.php
 b/include/cpdf_adapter.cls.php
+@@ -604,7 +604,7 @@
+   }
+ 
+   function image($img, $x, $y, $w, $h, $resolution = "normal") {
+-list($width, $height, $type) = dompdf_getimagesize($img);
++list($width, $height, $type) = dompdf_getimagesize($img, 
$this->_dompdf->get_http_context());
+ 
+ $debug_png = $this->_dompdf->get_option("debug_png");
+ 
+--- a/include/dompdf.cls.php
 b/include/dompdf.cls.php
+@@ -184,6 +184,25 @@
+* @var bool
+*/
+   private $_quirksmode = false;
++  
++  /**
++   * Protocol whitelist
++   *
++   * Protocols and PHP wrappers allowed in URLs. Full support is not 
++   * guarantee for the protocols/wrappers contained in this array.
++   *
++   * @var array
++   */
++  private $_allowed_protocols = array(null, "", "file://", "http://;, 
"https://;);
++  
++  /**
++   * Local file

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-19 Thread Julien Cristau 
On Tue, Mar 15, 2016 at 11:13:19 +0100, Markus Frosch wrote:

> I can update the diff if you like, difference only in the changelog and patch 
> summary.
> 
Yes please.

Cheers,
Julien

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-15 Thread Markus Frosch 

On 14.03.2016 23:10, Moritz Mühlenhoff wrote:
>> CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is
>> > that wrong?
>> > 
>> >  https://security-tracker.debian.org/tracker/CVE-2014-2383
>> >  https://bugs.debian.org/745619
> Markus?

Hi Moritz,
as I said:

Mail from Sun, 28 Feb 2016 19:51:01 +0100

> Thats seems to be correct, upstream mentioned it on 0.6.2 as well.
>
> I guess because CVE-2014-5013 is a follow-up for that.
>
> Will remove it from the changelog.

I'd love to go forward mit the PU, if nobody has objections. Thats the part I 
was waiting on...

I can update the diff if you like, difference only in the changelog and patch 
summary.

Cheers
Markus Frosch
-- 
mar...@lazyfrosch.de / lazyfro...@debian.org
http://www.lazyfrosch.de



signature.asc
Description: OpenPGP digital signature

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-03-14 Thread Moritz Mühlenhoff 
On Sun, Feb 28, 2016 at 07:42:46PM +0100, Salvatore Bonaccorso wrote:
> Hi Markus,
> 
> Just one note:
> 
> On Sun, Feb 28, 2016 at 06:22:08PM +0100, Markus Frosch wrote:
> > +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium
> > +
> > +  * Non-maintainer upload.
> > +  * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849)
> > +
> > +Fixes CVE:
> > +* CVE-2014-2383
> > +* CVE-2014-5011
> > +* CVE-2014-5012
> > +* CVE-2014-5013
> 
> CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is
> that wrong?
> 
>  https://security-tracker.debian.org/tracker/CVE-2014-2383
>  https://bugs.debian.org/745619

Markus?

Cheers,
Moritz

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-02-28 Thread Markus Frosch 
On 28.02.2016 19:42, Salvatore Bonaccorso wrote:
> CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is
> that wrong?
> 
>  https://security-tracker.debian.org/tracker/CVE-2014-2383
>  https://bugs.debian.org/745619

Thats seems to be correct, upstream mentioned it on 0.6.2 as well.

I guess because CVE-2014-5013 is a follow-up for that.

Will remove it from the changelog.

Cheers
Markus Frosch
-- 
mar...@lazyfrosch.de / lazyfro...@debian.org
http://www.lazyfrosch.de



signature.asc
Description: OpenPGP digital signature

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-02-28 Thread Salvatore Bonaccorso 
Hi Markus,

Just one note:

On Sun, Feb 28, 2016 at 06:22:08PM +0100, Markus Frosch wrote:
> +php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849)
> +
> +Fixes CVE:
> +* CVE-2014-2383
> +* CVE-2014-5011
> +* CVE-2014-5012
> +* CVE-2014-5013

CVE-2014-2383 should actually be already fixed in 0.6.1+dfsg-1. Is
that wrong?

 https://security-tracker.debian.org/tracker/CVE-2014-2383
 https://bugs.debian.org/745619

Regards,
Salvatore

Bug#816037: Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-02-28 Thread Markus Frosch 
Hi Adam,
On 28.02.2016 18:29, Adam D. Barratt wrote:
> Well the RM's already been requested - see #816037. Could you please
> sort out between you what's happening, and let us know?

haven't seen that bug.

I decided to take over and ITA yesterday, so that was after David's request.

Since I still want to be the new maintainer, and just uploaded to unstable, I'd 
still prefer to keep.

Unless the release team opposes that :)

Cheers
Markus Frosch
-- 
mar...@lazyfrosch.de / lazyfro...@debian.org
http://www.lazyfrosch.de



signature.asc
Description: OpenPGP digital signature

Bug#816037: Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-02-28 Thread Adam D. Barratt 
Control: tags 816198 + moreinfo

On Sun, 2016-02-28 at 18:22 +0100, Markus Frosch wrote:
> Hey release team,
> I'd like to propose an update for jessie, that addresses 4 CVEs with
> php-dompdf.
> 
> Related package bug is #813849
> 
> Though php-dompdf is technically a leaf package, I'd prefer to ship a
> update over a RM of the package from stable.

Well the RM's already been requested - see #816037. Could you please
sort out between you what's happening, and let us know?

Regards,

Adam

Bug#816198: jessie-pu: package php-dompdf/0.6.1+dfsg-2

2016-02-28 Thread Markus Frosch 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hey release team,
I'd like to propose an update for jessie, that addresses 4 CVEs with
php-dompdf.

Related package bug is #813849

Though php-dompdf is technically a leaf package, I'd prefer to ship a
update over a RM of the package from stable.

Attached is a prepared debdiff of that update.

Please review and let me know if you need anything in addition.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru php-dompdf-0.6.1+dfsg/debian/changelog php-dompdf-0.6.1+dfsg/debian/changelog
--- php-dompdf-0.6.1+dfsg/debian/changelog	2014-04-23 21:24:29.0 +0200
+++ php-dompdf-0.6.1+dfsg/debian/changelog	2016-02-27 15:51:54.0 +0100
@@ -1,3 +1,18 @@
+php-dompdf (0.6.1+dfsg-2+deb8u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * [22610bd] Add 0.6.2 hotfix patch (Closes: #813849)
+
+Fixes CVE:
+* CVE-2014-2383
+* CVE-2014-5011
+* CVE-2014-5012
+* CVE-2014-5013
+
+This update bundles CVE hotfixes from 0.6.2 upstream release.
+
+ -- Markus Frosch   Sat, 27 Feb 2016 15:48:10 +0100
+
 php-dompdf (0.6.1+dfsg-2) unstable; urgency=medium
 
   * Document security issue fixed in last upstream version, and upload to
diff -Nru php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch
--- php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch	1970-01-01 01:00:00.0 +0100
+++ php-dompdf-0.6.1+dfsg/debian/patches/0100-0.6.2-hotfix.patch	2016-02-27 15:47:52.0 +0100
@@ -0,0 +1,713 @@
+Description: Hotfix based on 0.6.2
+ This patch fixes:
+ * CVE-2014-2383
+ * CVE-2014-5011
+ * CVE-2014-5012
+ * CVE-2014-5013
+ .
+ The patch bundles code changes from 0.6.2
+Author: Brian Sweeney 
+Origin: upstream
+Applied-Upstream: 0.6.2
+Reviewed-by: Markus Frosch 
+Last-Update: 2016-02-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dompdf.php
 b/dompdf.php
+@@ -130,6 +130,8 @@
+ $sapi = php_sapi_name();
+ $options = array();
+ 
++$dompdf = new DOMPDF();
++
+ switch ( $sapi ) {
+ 
+  case "cli":
+@@ -169,7 +171,7 @@
+ if ( $file === "-" )
+   $outfile = "dompdf_out.pdf";
+ else
+-  $outfile = str_ireplace(array(".html", ".htm", ".php"), "", $file) . ".pdf";
++  $outfile = str_ireplace(array(".html", ".htm"), "", $file) . ".pdf";
+   }
+ 
+   if ( isset($opts["v"]) )
+@@ -194,6 +196,8 @@
+ 
+  default:
+ 
++  $dompdf->set_option('enable_php', false);
++  
+   if ( isset($_GET["input_file"]) )
+ $file = rawurldecode($_GET["input_file"]);
+   else
+@@ -220,26 +224,12 @@
+   
+   $file_parts = explode_url($file);
+   
+-  /* Check to see if the input file is local and, if so, that the base path falls within that specified by DOMDPF_CHROOT */
+-  if(($file_parts['protocol'] == '' || $file_parts['protocol'] === 'file://')) {
+-$file = realpath($file);
+-if ( strpos($file, DOMPDF_CHROOT) !== 0 ) {
+-  throw new DOMPDF_Exception("Permission denied on $file. The file could not be found under the directory specified by DOMPDF_CHROOT.");
+-}
+-  }
+-  
+-  if($file_parts['protocol'] === 'php://') {
+-throw new DOMPDF_Exception("Permission denied on $file. This script does not allow PHP streams.");
+-  }
+-  
+   $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file
+   $save_file = false; # Don't save the file
+   
+   break;
+ }
+ 
+-$dompdf = new DOMPDF();
+-
+ if ( $file === "-" ) {
+   $str = "";
+   while ( !feof(STDIN) )
+--- a/dompdf_config.custom.inc.php
 b/dompdf_config.custom.inc.php
+@@ -1,6 +1,7 @@
+-https://github.com/dompdf/dompdf/wiki
++ */
++//define("DOMPDF_CHROOT", DOMPDF_DIR);
++//define("DOMPDF_ENABLE_PHP", false);
++//define("DOMPDF_ENABLE_REMOTE", false);
+--- a/include/abstract_renderer.cls.php
 b/include/abstract_renderer.cls.php
+@@ -100,7 +100,7 @@
+ //Therefore read dimension directly from file, instead of creating gd object first.
+ //$img_w = imagesx($src); $img_h = imagesy($src);
+ 
+-list($img_w, $img_h) = dompdf_getimagesize($img);
++list($img_w, $img_h) = dompdf_getimagesize($img, $this->_dompdf->get_http_context());
+ if (!isset($img_w) || $img_w == 0 || !isset($img_h) || $img_h == 0) {
+   return;
+ }
+--- a/include/cpdf_adapter.cls.php
 b/include/cpdf_adapter.cls.php
+@@ -604,7 +604,7 @@
+   }
+ 
+   function image($img, $x, $y, $w, $h, $resolution = "normal") {
+-list($width, $height, $type) = dompdf_getimagesize($img);
++