[Pkg-cups-devel] squeeze update of cups?

Fri Feb 27 04:39:08 UTC 2015

On Fri, 2015-02-27 at 03:17 +0000, Ben Hutchings wrote:
> On Mon, 2015-02-23 at 18:38 +0100, Didier 'OdyX' Raboud wrote:
> > Hi,
> > 
> > Le lundi, 23 février 2015, 11.58:33 Raphael Hertzog a écrit :
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of your package:
> > > https://security-tracker.debian.org/tracker/CVE-2014-9679
> > > 
> > > Would you like to take care of this yourself?
> > > 
> > > If yes, please follow the workflow we have defined here:
> > > http://wiki.debian.org/LTS/Development
> > 
> > I will, but keep in mind that we're still discussing the Wheezy patch 
> > with the security team, so I'd like to get that fixed too (ideally 
> > first).
> > 
> > That said, the part from the upstream patch that we're discussing 
> > doesn't apply to Squeeze(-LTS), so we might as well upload the patch as-
> > is.
> >
> > Proposed debdiff attached.
> 
> This does not fix the bug!

I cherry-picked git commit 6c087a72a0708bcb7929955c75770ee364755c42
("Add some range checking (probably more to come) to avoid divide-by-0
errors."), after which the critical hunk of the patch for CVE-2014-9679
applied cleanly.  With Didier's original patch,

    zcat bogus.raster.gz | rastertohp foo bar baz 1 ''

still crashes (segmentation fault).  With the two patches applied, it
fails cleanly (no pages found).  I was still able to print a test page
(though I'm not certain that this uses the raster filter code in my
configuration).

So I've uploaded with those two patches applied.

Ben.

-- 
Ben Hutchings
It is easier to write an incorrect program than to understand a correct one.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20150227/49a1b200/attachment.sig>