r40430 - in /desktop/squeeze/librsvg/debian: changelog patches/CVE-2013-1881.policy.patch
joss at users.alioth.debian.org
joss at users.alioth.debian.org
Fri Jan 24 13:55:54 UTC 2014
Author: joss
Date: Fri Jan 24 13:55:54 2014
New Revision: 40430
URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=40430
Log:
CVE-2013-1881.policy.patch: updated from Raphaël Geissert. Fix
policy check for non-URIs. Closes: #732144.
Modified:
desktop/squeeze/librsvg/debian/changelog
desktop/squeeze/librsvg/debian/patches/CVE-2013-1881.policy.patch
Modified: desktop/squeeze/librsvg/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/squeeze/librsvg/debian/changelog?rev=40430&op=diff
==============================================================================
--- desktop/squeeze/librsvg/debian/changelog [utf-8] (original)
+++ desktop/squeeze/librsvg/debian/changelog [utf-8] Fri Jan 24 13:55:54 2014
@@ -1,3 +1,10 @@
+librsvg (2.26.3-1+deb6u2) oldstable; urgency=low
+
+ * CVE-2013-1881.policy.patch: updated from Raphaël Geissert. Fix
+ policy check for non-URIs. Closes: #732144.
+
+ -- Josselin Mouette <joss at debian.org> Fri, 24 Jan 2014 14:55:48 +0100
+
librsvg (2.26.3-1+deb6u1) oldstable; urgency=low
[ Raphaël Geissert ]
Modified: desktop/squeeze/librsvg/debian/patches/CVE-2013-1881.policy.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/squeeze/librsvg/debian/patches/CVE-2013-1881.policy.patch?rev=40430&op=diff
==============================================================================
--- desktop/squeeze/librsvg/debian/patches/CVE-2013-1881.policy.patch [utf-8] (original)
+++ desktop/squeeze/librsvg/debian/patches/CVE-2013-1881.policy.patch [utf-8] Fri Jan 24 13:55:54 2014
@@ -1,8 +1,32 @@
Index: librsvg-2.26.3/rsvg-image.c
===================================================================
---- librsvg-2.26.3.orig/rsvg-image.c 2013-11-28 12:01:22.865236793 +0100
-+++ librsvg-2.26.3/rsvg-image.c 2013-11-28 12:17:25.242370794 +0100
-@@ -356,6 +356,51 @@ rsvg_acquire_vfs_resource (const char *f
+--- librsvg-2.26.3.orig/rsvg-image.c 2013-12-20 14:28:57.731991069 +0100
++++ librsvg-2.26.3/rsvg-image.c 2013-12-20 14:38:59.384692376 +0100
+@@ -325,22 +325,7 @@ rsvg_acquire_vfs_resource (const char *f
+
+ file = g_file_new_for_uri (filename);
+
+- if (!(res = g_file_load_contents (file, NULL, &data, &size, NULL, error))) {
+- if (base_uri != NULL) {
+- GFile *base;
+-
+- rsvg_free_error (error);
+-
+- g_object_unref (file);
+-
+- base = g_file_new_for_uri (base_uri);
+- file = g_file_resolve_relative_path (base, filename);
+- g_object_unref (base);
+-
+- res = g_file_load_contents (file, NULL, &data, &size, NULL, error);
+- }
+- }
+-
++ res = g_file_load_contents (file, NULL, &data, &size, NULL, error);
+ g_object_unref (file);
+
+ if (res) {
+@@ -356,23 +341,136 @@ rsvg_acquire_vfs_resource (const char *f
}
#endif
@@ -23,7 +47,7 @@
+
+ /* Allow loads of data: from any location */
+ if (g_str_equal (href_scheme, "data"))
-+ return TRUE;
++ goto allow;
+
+ /* no valid base URI */
+ if (base_scheme == NULL)
@@ -35,7 +59,7 @@
+
+ /* resource: is allowed to load anything from other resources */
+ if (g_str_equal (href_scheme, "resource"))
-+ return TRUE;
++ goto allow;
+
+ /* Non-file: isn't allowed to load anything */
+ if (!g_str_equal (href_scheme, "file"))
@@ -43,9 +67,14 @@
+
+ /* no local-file policy is applied here */
+
++allow:
++ free(base_scheme);
++ free(href_scheme);
+ return TRUE;
+
+deny:
++ free(base_scheme);
++ free(href_scheme);
+ g_set_error (err, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
+ "File may not link to URI \"%s\"", href);
+ return FALSE;
@@ -54,20 +83,94 @@
GByteArray *
_rsvg_acquire_xlink_href_resource (const char *href, const char *base_uri, GError ** err)
{
-@@ -367,6 +412,9 @@ _rsvg_acquire_xlink_href_resource (const
- if (!strncmp (href, "data:", 5))
+ GByteArray *arr = NULL;
++ char *base_scheme = NULL, *href_scheme = NULL;
++ char *href_uri = NULL;
++#ifndef HAVE_GIO
++ /* to be used ONLY for the policy check */
++ GString *href_uri_str = NULL;
++#endif
+
+ if (!(href && *href))
+ return NULL;
+
+- if (!strncmp (href, "data:", 5))
++ if (base_uri)
++ base_scheme = g_uri_parse_scheme (base_uri);
++ if (href)
++ href_scheme = g_uri_parse_scheme (href);
++
++ if (href_scheme && g_str_equal (href_scheme, "data"))
arr = rsvg_acquire_base64_resource (href, NULL);
-
-+ if (!_rsvg_acquire_xlink_allow_load(href, base_uri, err))
-+ return NULL;
-+
- if (!arr)
++ if (arr)
++ goto done;
+
+- if (!arr)
++#ifdef HAVE_GIO
++ /* if href is not a URI already, turn it into one based on base_uri */
++ if (href_scheme == NULL) {
++ GFile *file, *base, *parentless_base;
++ base = g_file_new_for_uri (base_uri);
++ /* now strip the file name: */
++ parentless_base = g_file_get_parent (base);
++ file = g_file_resolve_relative_path (parentless_base, href);
++
++ g_object_unref (base);
++ g_object_unref (parentless_base);
++ href_uri = g_file_get_uri(file);
++ g_object_unref (file);
++ } else {
++ href_uri = strdup (href);
++ if (!href_uri) /* FIXME: better handling failure */
++ goto done;
++ }
++#else
++ if (href_scheme == NULL) {
++ href_uri_str = g_string_new(href);
++ if (base_scheme) {
++ /* try to turn href into a uri */
++ g_string_prepend (href_uri_str, "://");
++ g_string_prepend (href_uri_str, base_scheme);
++ /* no need to free, as href_scheme is NULL, remember? */
++ href_scheme = strdup (base_scheme);
++ if (!href_scheme) /* FIXME: better handling failure */
++ goto done;
++ } else
++ goto done;
++ } else {
++ href_uri_str = g_string_new(href);
++ }
++ href_uri = href_uri_str->str;
++#endif
++
++ if (!_rsvg_acquire_xlink_allow_load(href_uri, base_uri, err))
++ goto done;
++
++#ifdef HAVE_GIO
++ arr = rsvg_acquire_vfs_resource (href_uri, base_uri, NULL);
++#else
++ /* href must be a path for fopen() to work */
++ if (g_str_equal (href_scheme, "file"))
arr = rsvg_acquire_file_resource (href, base_uri, NULL);
-
++#endif
++
++done:
++ free(href_scheme);
++ free(base_scheme);
+
+ #ifdef HAVE_GIO
+- if (!arr)
+- arr = rsvg_acquire_vfs_resource (href, base_uri, NULL);
++ g_free(href_uri);
++#else
++ g_string_free (href_uri_str, TRUE);
+ #endif
+
+ return arr;
Index: librsvg-2.26.3/rsvg-base.c
===================================================================
---- librsvg-2.26.3.orig/rsvg-base.c 2013-11-28 12:01:22.865236793 +0100
-+++ librsvg-2.26.3/rsvg-base.c 2013-11-28 12:13:54.913248784 +0100
+--- librsvg-2.26.3.orig/rsvg-base.c 2013-12-20 14:28:57.731991069 +0100
++++ librsvg-2.26.3/rsvg-base.c 2013-12-20 14:37:44.868110116 +0100
@@ -1049,12 +1049,13 @@ rsvg_handle_set_base_uri (RsvgHandle * h
else
uri = rsvg_get_base_uri_from_filename (base_uri);
@@ -88,3 +191,41 @@
}
/**
+Index: librsvg-2.26.3/rsvg-base-file-util.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-base-file-util.c 2013-12-20 14:28:57.731991069 +0100
++++ librsvg-2.26.3/rsvg-base-file-util.c 2013-12-20 14:37:44.868110116 +0100
+@@ -87,11 +87,23 @@ rsvg_handle_new_from_file (const gchar *
+ gchar *base_uri;
+ GByteArray *f;
+ RsvgHandle *handle = NULL;
++ char *base_scheme;
++ gchar *final_file_name = NULL;
+
+ rsvg_return_val_if_fail (file_name != NULL, NULL, error);
+
+- base_uri = rsvg_get_base_uri_from_filename (file_name);
+- f = _rsvg_acquire_xlink_href_resource (file_name, base_uri, error);
++ /* turn the file name/path into a URI if it is not one already */
++ base_scheme = g_uri_parse_scheme (file_name);
++ if (base_scheme) {
++ free (base_scheme);
++ base_scheme = 0;
++ base_uri = g_strdup (file_name);
++ final_file_name = g_strdup (file_name);
++ } else {
++ base_uri = rsvg_get_base_uri_from_filename (file_name);
++ final_file_name = g_path_get_basename (file_name);
++ }
++ f = _rsvg_acquire_xlink_href_resource (final_file_name, base_uri, error);
+
+ if (f) {
+ handle = rsvg_handle_new ();
+@@ -106,6 +118,7 @@ rsvg_handle_new_from_file (const gchar *
+ }
+
+ g_free (base_uri);
++ g_free (final_file_name);
+
+ return handle;
+ }
More information about the pkg-gnome-commits
mailing list