On Fri, 2015-02-27 at 03:17 +0000, Ben Hutchings wrote: > On Mon, 2015-02-23 at 18:38 +0100, Didier 'OdyX' Raboud wrote: > > Hi, > > > > Le lundi, 23 février 2015, 11.58:33 Raphael Hertzog a écrit : > > > the Debian LTS team would like to fix the security issues which are > > > currently open in the Squeeze version of your package: > > > https://security-tracker.debian.org/tracker/CVE-2014-9679 > > > > > > Would you like to take care of this yourself? > > > > > > If yes, please follow the workflow we have defined here: > > > http://wiki.debian.org/LTS/Development > > > > I will, but keep in mind that we're still discussing the Wheezy patch > > with the security team, so I'd like to get that fixed too (ideally > > first). > > > > That said, the part from the upstream patch that we're discussing > > doesn't apply to Squeeze(-LTS), so we might as well upload the patch as- > > is. > > > > Proposed debdiff attached. > > This does not fix the bug!
I cherry-picked git commit 6c087a72a0708bcb7929955c75770ee364755c42
("Add some range checking (probably more to come) to avoid divide-by-0
errors."), after which the critical hunk of the patch for CVE-2014-9679
applied cleanly. With Didier's original patch,
zcat bogus.raster.gz | rastertohp foo bar baz 1 ''
still crashes (segmentation fault). With the two patches applied, it
fails cleanly (no pages found). I was still able to print a test page
(though I'm not certain that this uses the raster filter code in my
configuration).
So I've uploaded with those two patches applied.
Ben.
--
Ben Hutchings
It is easier to write an incorrect program than to understand a correct one.
signature.asc
Description: This is a digitally signed message part
