Debian Bug report logs -
#742873
autotrace: CVE-2013-1953
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 28 Mar 2014 12:27:07 UTC
Owned by: dirson@debian.org
Severity: grave
Tags: patch, security
Found in version autotrace/0.31.1-15
Fixed in version autotrace/0.31.1-16+nmu1
Done: Yann Dirson <dirson@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>:
Bug#742873; Package autotrace.
(Fri, 28 Mar 2014 12:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>.
(Fri, 28 Mar 2014 12:27:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: autotrace
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugzilla.redhat.com/show_bug.cgi?id=951257
Cheers,
Moritz
Owner recorded as dirson@debian.org.
Request was from ydirson@free.fr
to control@bugs.debian.org.
(Sat, 15 Nov 2014 14:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>, dirson@debian.org:
Bug#742873; Package autotrace.
(Sat, 15 Nov 2014 16:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to ydirson@free.fr:
Extra info received and forwarded to list. Copy sent to Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>, dirson@debian.org.
(Sat, 15 Nov 2014 16:51:04 GMT) (full text, mbox, link).
Message #12 received at 742873@bugs.debian.org (full text, mbox, reply):
tags 742873 + patch
thanks
Too bad it's too late for jessie...
From 18bbc237763955c150da72daf9be2b9702fefb0a Mon Sep 17 00:00:00 2001
From: Yann Dirson <ydirson@free.fr>
Date: Sat, 15 Nov 2014 16:45:50 +0000
Subject: [PATCH] Fix CVE-2013-1953
---
debian/changelog | 8 ++++++++
debian/patches/CVE-2013-1953.patch | 11 +++++++++++
debian/patches/series | 1 +
3 files changed, 20 insertions(+)
create mode 100644 debian/patches/CVE-2013-1953.patch
diff --git a/debian/changelog b/debian/changelog
index a12c511..42fdfc8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+autotrace (0.31.1-16+nmu1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix buffer overflow (Closes: #742873, CVE-2013-1953), patch from
+ https://bugzilla.redhat.com/show_bug.cgi?id=951257.
+
+ -- Yann Dirson <dirson@debian.org> Sat, 15 Nov 2014 16:45:25 +0100
+
autotrace (0.31.1-16) unstable; urgency=low
* Bumped Standards-Version to 3.9.2
diff --git a/debian/patches/CVE-2013-1953.patch b/debian/patches/CVE-2013-1953.patch
new file mode 100644
index 0000000..bcf12f6
--- /dev/null
+++ b/debian/patches/CVE-2013-1953.patch
@@ -0,0 +1,11 @@
+--- autotrace-0.31.1/input-bmp.c.orig 2002-10-10 22:44:08.000000000 +0200
++++ autotrace-0.31.1/input-bmp.c.orig 2013-06-28 10:24:58.336056959 +0200
+@@ -166,7 +166,7 @@ input_bmp_reader (at_string filename,
+ /* 36 */
+ Maps = 4;
+ }
+- else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
++ else if (Bitmap_File_Head.biSize >= 40 && Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
+ {
+ if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))
+ {
diff --git a/debian/patches/series b/debian/patches/series
index cb1473f..f559677 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ output-pdf.c.patch
output-pstoedit.c.patch
output-pstoedit.h.patch
README.patch
+CVE-2013-1953.patch
--
2.1.3
Added tag(s) patch.
Request was from ydirson@free.fr
to control@bugs.debian.org.
(Sat, 15 Nov 2014 16:51:17 GMT) (full text, mbox, link).
Marked as found in versions autotrace/0.31.1-15.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 17 Nov 2014 19:21:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>, dirson@debian.org:
Bug#742873; Package autotrace.
(Tue, 16 Dec 2014 22:09:11 GMT) (full text, mbox, link).
Acknowledgement sent
to yoh@onerussian.com:
Extra info received and forwarded to list. Copy sent to Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>, dirson@debian.org.
(Tue, 16 Dec 2014 22:09:11 GMT) (full text, mbox, link).
Message #21 received at 742873@bugs.debian.org (full text, mbox, reply):
On Sat, 15 Nov 2014, ydirson@free.fr wrote:
> tags 742873 + patch
> thanks
> Too bad it's too late for jessie...
> >From 18bbc237763955c150da72daf9be2b9702fefb0a Mon Sep 17 00:00:00 2001
> From: Yann Dirson <ydirson@free.fr>
> Date: Sat, 15 Nov 2014 16:45:50 +0000
> Subject: [PATCH] Fix CVE-2013-1953
thanks for the patch -- would you mind uploading this NMU? or you need
sponsorship?
then, if someone needs it, I could provide backport build for jessie
from neurodebian (before even jessie gets released)
--
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
Information forwarded
to debian-bugs-dist@lists.debian.org, Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>, dirson@debian.org:
Bug#742873; Package autotrace.
(Tue, 16 Dec 2014 22:21:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Yann Dirson <ydirson@free.fr>:
Extra info received and forwarded to list. Copy sent to Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>, dirson@debian.org.
(Tue, 16 Dec 2014 22:21:10 GMT) (full text, mbox, link).
Message #26 received at 742873@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 16, 2014 at 05:05:53PM -0500, Yaroslav Halchenko wrote:
>
> On Sat, 15 Nov 2014, ydirson@free.fr wrote:
>
> > tags 742873 + patch
> > thanks
>
> > Too bad it's too late for jessie...
>
> > >From 18bbc237763955c150da72daf9be2b9702fefb0a Mon Sep 17 00:00:00 2001
> > From: Yann Dirson <ydirson@free.fr>
> > Date: Sat, 15 Nov 2014 16:45:50 +0000
> > Subject: [PATCH] Fix CVE-2013-1953
>
> thanks for the patch -- would you mind uploading this NMU? or you need
> sponsorship?
I had meant to upload it, but somehow forgot, will do !
Reply sent
to Yann Dirson <dirson@debian.org>:
You have taken responsibility.
(Tue, 16 Dec 2014 23:06:16 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 16 Dec 2014 23:06:16 GMT) (full text, mbox, link).
Message #31 received at 742873-close@bugs.debian.org (full text, mbox, reply):
Source: autotrace
Source-Version: 0.31.1-16+nmu1
We believe that the bug you reported is fixed in the latest version of
autotrace, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742873@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yann Dirson <dirson@debian.org> (supplier of updated autotrace package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 15 Nov 2014 16:45:25 +0100
Source: autotrace
Binary: autotrace libautotrace3 libautotrace-dev
Architecture: source amd64
Version: 0.31.1-16+nmu1
Distribution: unstable
Urgency: low
Maintainer: Edgar Antonio Palma de la Cruz <xbytemx@gmail.com>
Changed-By: Yann Dirson <dirson@debian.org>
Description:
autotrace - bitmap to vector graphics converter
libautotrace-dev - bitmap to vector graphics converter, development files
libautotrace3 - bitmap to vector graphics converter, shared library files
Closes: 742873
Changes:
autotrace (0.31.1-16+nmu1) unstable; urgency=low
.
* Non-maintainer upload.
* Fix buffer overflow (Closes: #742873, CVE-2013-1953), patch from
https://bugzilla.redhat.com/show_bug.cgi?id=951257.
Checksums-Sha1:
43f63341e2830c4d3b63b9144c167f0a43c6c2fc 1980 autotrace_0.31.1-16+nmu1.dsc
a5b45cc0f6b6e25d9338983a5f94a7066bddf917 175308 autotrace_0.31.1-16+nmu1.debian.tar.xz
6b818c96840b045b87036fbe2f75dab4a3122ffe 48818 autotrace_0.31.1-16+nmu1_amd64.deb
2bc3930d705c1278cfd2680a0e53190686043ace 103590 libautotrace3_0.31.1-16+nmu1_amd64.deb
1fc797cfc928f4b7ce316eebc2dc31d3a18cba8b 117420 libautotrace-dev_0.31.1-16+nmu1_amd64.deb
Checksums-Sha256:
1c9aa95df8d0cf022f4067a48308cfa77bf37b64655ed706b44c2e8b83bbd17f 1980 autotrace_0.31.1-16+nmu1.dsc
66612cb992adadf4bd0ff49ffd0b833238250009d7c43c2b6f6efd8664c1ad89 175308 autotrace_0.31.1-16+nmu1.debian.tar.xz
2c963349314a97454d05abe78091181beae97bd9909f58b1f831520fa840bf23 48818 autotrace_0.31.1-16+nmu1_amd64.deb
9d22a27660b1e1142697585bcb3a0edc1452a786bb9f6f9dc199e3ff0ee65aa0 103590 libautotrace3_0.31.1-16+nmu1_amd64.deb
fa679315000a83c148778cb1b98af38a6a988cb6dd3041f174d0ec3f8cb8c51c 117420 libautotrace-dev_0.31.1-16+nmu1_amd64.deb
Files:
66b474716b13e0c2621b695f25931608 1980 graphics optional autotrace_0.31.1-16+nmu1.dsc
ac9988b9c05cd1ba13591e96af254a7f 175308 graphics optional autotrace_0.31.1-16+nmu1.debian.tar.xz
f337a4216bc067bd433cea43b707494a 48818 graphics optional autotrace_0.31.1-16+nmu1_amd64.deb
de7399789f9e50eebd58f19151337832 103590 libs optional libautotrace3_0.31.1-16+nmu1_amd64.deb
dc985eefe65484d446c35768f4560549 117420 libdevel optional libautotrace-dev_0.31.1-16+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVJC3jA2F8pYlo/n9AQi7NhAAn4BkIWDirRkFPOUh4xK0kFFz4qq2oa4K
qU24EcL5e5FYpT0nElZsSEBHIDB1/yZjllHcE6klAyDT9pUGvNdW6wXdvlblOStg
Ij9RsEUzYfX/nA3MysktxR6kivuLvY2FoiV5Mix2CKgk9Ru1IJL6tvigg8Q3aWKt
Cf+RpFpwNQBrighjQKwaTQmV1ZWgFs6XNGi3sJy1GVC/s6VNu+1gWKZzGTcSNzZp
FejMgn8xYerr2/KxDayuu8fyuXLXrHXLJ6xfJkg9pgZodgj3C4BgtPJicdMXzgf9
Q0s95iikUSyEu2AwFTC+bx6fpMDK91Y7y4QRgntJxOo9wQQuNH5BXY7w2U5ikvX+
p9Mo2IqlwjBY8JWc1BLL4ifXd/2eFcoZocO75JQd1mJDcelFH8nxU9Cw4Cnzs4Dn
XKpKWX+W1kFUnYpio3P11dbSBxE52ng+pRvySJS/xXksWfZelGIH+DWhHNQHQG/X
mXNgReBn0wnR64VI5aQ5tioybVyz45T4z8m9P/UpcjXo5vmvxCQBZfKvWLXjcmDP
rCD+uD8cVvBCk4654sOhclahA7JPcMTvYOe3vaPjoSiBkxEMWAX54sJb0sUxa2Wm
JTC+hLyqkP4bMsZtJR8h/XNkWd1jSLVO8juKkqFs1kqdbjk2YiGeuX2p6TZEQcKt
S5NIfLfGipE=
=nNih
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:50:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:00:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon