Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
Processing control commands: > tags -1 + pending Bug #818615 [release.debian.org] jessie-pu: package gtk+2.0 Added tag(s) pending. -- 818615: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818615 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818615: jessie-pu: package gtk+2.0
Control: tags -1 + pending On Thu, 2016-03-24 at 22:23 +0100, Moritz Mühlenhoff wrote: > On Thu, Mar 24, 2016 at 06:35:55AM +, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Wed, 2016-03-23 at 23:12 +0100, Moritz Mühlenhoff wrote: > > [...] > > > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > > > > > I'd like to fix a security issue in GTK, which doesn't really > > > > > > > warrant > > > > > > > a DSA. Debdiff below, I've been running this on my jessie > > > > > > > workstation for a day now. > > > > > > > > > > > > > > Cheers, > > > > > > > Moritz > > > > > > > > > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > > > > > gtk+2.0-2.24.25/debian/changelog > > > > > > > --- gtk+2.0-2.24.25/debian/changelog 2015-03-03 > > > > > > > 19:39:59.0 +0100 > > > > > > > +++ gtk+2.0-2.24.25/debian/changelog 2016-03-17 > > > > > > > 23:20:16.0 +0100 > > > > > > > @@ -1,3 +1,9 @@ > > > > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > > > > > + > > > > > > > + * CVE-2013-7447 (Closes: #799275) > > [...] > > > This is now in unstable: > > > https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html > > > > Thanks. Please go ahead. > > Uploaded. Flagged for acceptance. Regards, Adam
Bug#818615: jessie-pu: package gtk+2.0
On Thu, Mar 24, 2016 at 06:35:55AM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2016-03-23 at 23:12 +0100, Moritz Mühlenhoff wrote: > [...] > > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > > > > I'd like to fix a security issue in GTK, which doesn't really > > > > > > warrant > > > > > > a DSA. Debdiff below, I've been running this on my jessie > > > > > > workstation for a day now. > > > > > > > > > > > > Cheers, > > > > > > Moritz > > > > > > > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > > > > gtk+2.0-2.24.25/debian/changelog > > > > > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 > > > > > > 19:39:59.0 +0100 > > > > > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 > > > > > > 23:20:16.0 +0100 > > > > > > @@ -1,3 +1,9 @@ > > > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > > > > + > > > > > > + * CVE-2013-7447 (Closes: #799275) > [...] > > This is now in unstable: > > https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html > > Thanks. Please go ahead. Uploaded. Cheers, Moritz
Bug#818615: jessie-pu: package gtk+2.0
Control: tags -1 + confirmed On Wed, 2016-03-23 at 23:12 +0100, Moritz Mühlenhoff wrote: [...] > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > > > I'd like to fix a security issue in GTK, which doesn't really warrant > > > > > a DSA. Debdiff below, I've been running this on my jessie > > > > > workstation for a day now. > > > > > > > > > > Cheers, > > > > > Moritz > > > > > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > > > gtk+2.0-2.24.25/debian/changelog > > > > > --- gtk+2.0-2.24.25/debian/changelog 2015-03-03 19:39:59.0 > > > > > +0100 > > > > > +++ gtk+2.0-2.24.25/debian/changelog 2016-03-17 23:20:16.0 > > > > > +0100 > > > > > @@ -1,3 +1,9 @@ > > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > > > + > > > > > + * CVE-2013-7447 (Closes: #799275) [...] > This is now in unstable: > https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html Thanks. Please go ahead. Regards, Adam
Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
Processing control commands: > tags -1 + confirmed Bug #818615 [release.debian.org] jessie-pu: package gtk+2.0 Added tag(s) confirmed. -- 818615: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818615 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818615: jessie-pu: package gtk+2.0
tags 818615 -moreinfo thanks On Tue, Mar 22, 2016 at 07:56:40PM +, Adam D. Barratt wrote: > On Fri, 2016-03-18 at 20:58 +0100, Salvatore Bonaccorso wrote: > > HI Adam, > > > > Not Moritz here but can answer the question as well: > > > > On Fri, Mar 18, 2016 at 07:22:34PM +, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > > I'd like to fix a security issue in GTK, which doesn't really warrant > > > > a DSA. Debdiff below, I've been running this on my jessie > > > > workstation for a day now. > > > > > > > > Cheers, > > > > Moritz > > > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > > gtk+2.0-2.24.25/debian/changelog > > > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 19:39:59.0 > > > > +0100 > > > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 23:20:16.0 > > > > +0100 > > > > @@ -1,3 +1,9 @@ > > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > > + > > > > + * CVE-2013-7447 (Closes: #799275) > > > > > > The Security Tracker suggests that this isn't fixed in the version of > > > gtk+2.0 in unstable; is that correct? > > > > Yes it is as well unfixed there. I just have proposed a NMU in > > https://bugs.debian.org/799275#39 > > Thanks for that. > > If we don't notice, please feel free to remove the "moreinfo" tag once > the NMU reaches unstable. This is now in unstable: https://packages.qa.debian.org/g/gtk+2.0/news/20160323T215045Z.html Cheers, Moritz
Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
Processing commands for cont...@bugs.debian.org: > tags 818615 -moreinfo Bug #818615 [release.debian.org] jessie-pu: package gtk+2.0 Removed tag(s) moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 818615: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818615 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#818615: jessie-pu: package gtk+2.0
On Fri, 2016-03-18 at 20:58 +0100, Salvatore Bonaccorso wrote: > HI Adam, > > Not Moritz here but can answer the question as well: > > On Fri, Mar 18, 2016 at 07:22:34PM +, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > > I'd like to fix a security issue in GTK, which doesn't really warrant > > > a DSA. Debdiff below, I've been running this on my jessie > > > workstation for a day now. > > > > > > Cheers, > > > Moritz > > > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog > > > gtk+2.0-2.24.25/debian/changelog > > > --- gtk+2.0-2.24.25/debian/changelog 2015-03-03 19:39:59.0 > > > +0100 > > > +++ gtk+2.0-2.24.25/debian/changelog 2016-03-17 23:20:16.0 > > > +0100 > > > @@ -1,3 +1,9 @@ > > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > > + > > > + * CVE-2013-7447 (Closes: #799275) > > > > The Security Tracker suggests that this isn't fixed in the version of > > gtk+2.0 in unstable; is that correct? > > Yes it is as well unfixed there. I just have proposed a NMU in > https://bugs.debian.org/799275#39 Thanks for that. If we don't notice, please feel free to remove the "moreinfo" tag once the NMU reaches unstable. Regards, Adam
Bug#818615: jessie-pu: package gtk+2.0
Control: tags -1 + moreinfo On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > I'd like to fix a security issue in GTK, which doesn't really warrant > a DSA. Debdiff below, I've been running this on my jessie > workstation for a day now. > > Cheers, > Moritz > > diff -Nru gtk+2.0-2.24.25/debian/changelog gtk+2.0-2.24.25/debian/changelog > --- gtk+2.0-2.24.25/debian/changelog 2015-03-03 19:39:59.0 +0100 > +++ gtk+2.0-2.24.25/debian/changelog 2016-03-17 23:20:16.0 +0100 > @@ -1,3 +1,9 @@ > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > + > + * CVE-2013-7447 (Closes: #799275) The Security Tracker suggests that this isn't fixed in the version of gtk+2.0 in unstable; is that correct? Regards, Adam
Bug#818615: jessie-pu: package gtk+2.0
Package: release.debian.org Severity: normal Hi, I'd like to fix a security issue in GTK, which doesn't really warrant a DSA. Debdiff below, I've been running this on my jessie workstation for a day now. Cheers, Moritz diff -Nru gtk+2.0-2.24.25/debian/changelog gtk+2.0-2.24.25/debian/changelog --- gtk+2.0-2.24.25/debian/changelog2015-03-03 19:39:59.0 +0100 +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 23:20:16.0 +0100 @@ -1,3 +1,9 @@ +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium + + * CVE-2013-7447 (Closes: #799275) + + -- Moritz M�hlenhoff Thu, 17 Mar 2016 00:17:18 +0100 + gtk+2.0 (2.24.25-3) unstable; urgency=medium * 0002-gdk-Fix-GdkWindowFilter-internal-refcounting.patch diff -Nru gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch --- gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch 1970-01-01 01:00:00.0 +0100 +++ gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch 2016-03-17 23:15:42.0 +0100 @@ -0,0 +1,30 @@ +From 894b1ae76a32720f4bb3d39cf460402e3ce331d6 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Sat, 29 Jun 2013 22:06:54 -0400 +Subject: Avoid integer overflow + +Use g_malloc_n in gdk_cairo_set_source_pixbuf when allocating +a large block of memory, to avoid integer overflow. + +Pointed out by Bert Massop in +https://bugzilla.gnome.org/show_bug.cgi?id=703220 +--- + gdk/gdkcairo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk/gdkcairo.c b/gdk/gdkcairo.c +index 19bed04..2e1d8dc 100644 +--- a/gdk/gdkcairo.c b/gdk/gdkcairo.c +@@ -213,7 +213,7 @@ gdk_cairo_set_source_pixbuf (cairo_t *cr, + format = CAIRO_FORMAT_ARGB32; + + cairo_stride = cairo_format_stride_for_width (format, width); +- cairo_pixels = g_malloc (height * cairo_stride); ++ cairo_pixels = g_malloc_n (height, cairo_stride); + surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels, + format, + width, height, cairo_stride); +-- +cgit v0.12 + diff -Nru gtk+2.0-2.24.25/debian/patches/series gtk+2.0-2.24.25/debian/patches/series --- gtk+2.0-2.24.25/debian/patches/series 2015-03-03 19:36:04.0 +0100 +++ gtk+2.0-2.24.25/debian/patches/series 2016-03-17 23:17:03.0 +0100 @@ -14,3 +14,4 @@ 061_use_pdf_as_default_printing_standard.patch 065_gir_set_packages.patch 098_multiarch_module_path.patch +099_CVE-2013-7447.patch
Bug#818615: jessie-pu: package gtk+2.0
HI Adam, Not Moritz here but can answer the question as well: On Fri, Mar 18, 2016 at 07:22:34PM +, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Fri, 2016-03-18 at 19:33 +0100, Moritz Muehlenhoff wrote: > > I'd like to fix a security issue in GTK, which doesn't really warrant > > a DSA. Debdiff below, I've been running this on my jessie > > workstation for a day now. > > > > Cheers, > > Moritz > > > > diff -Nru gtk+2.0-2.24.25/debian/changelog gtk+2.0-2.24.25/debian/changelog > > --- gtk+2.0-2.24.25/debian/changelog2015-03-03 19:39:59.0 > > +0100 > > +++ gtk+2.0-2.24.25/debian/changelog2016-03-17 23:20:16.0 > > +0100 > > @@ -1,3 +1,9 @@ > > +gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium > > + > > + * CVE-2013-7447 (Closes: #799275) > > The Security Tracker suggests that this isn't fixed in the version of > gtk+2.0 in unstable; is that correct? Yes it is as well unfixed there. I just have proposed a NMU in https://bugs.debian.org/799275#39 Hope this helps, Regards, Salvatore
Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
Processing control commands: > tags -1 + moreinfo Bug #818615 [release.debian.org] jessie-pu: package gtk+2.0 Added tag(s) moreinfo. -- 818615: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818615 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems