Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

inkscape: CVE-2012-5656

Related Vulnerabilities: CVE-2012-5656  

Source

Debian Bug report logs - #696485
inkscape: CVE-2012-5656

version graph

Package: inkscape; Maintainer for inkscape is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for inkscape is src:inkscape (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 21 Dec 2012 12:57:01 UTC

Severity: grave

Tags: confirmed, fixed-upstream, patch, security, upstream

Fixed in version inkscape/0.48.3.1-1.2

Done: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.launchpad.net/bugs/1025185

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Wolfram Quester <wolfi@sigxcpu.org>:
Bug#696485; Package inkscape. (Fri, 21 Dec 2012 12:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Wolfram Quester <wolfi@sigxcpu.org>. (Fri, 21 Dec 2012 12:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: inkscape: CVE-2012-5656
Date: Fri, 21 Dec 2012 13:51:28 +0100
Package: inkscape
Severity: grave
Tags: security
Justification: user security hole

Hi,
CVE-2012-5656 was assigned to this security issues:
https://bugs.launchpad.net/inkscape/+bug/1025185

Fix: http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@sigxcpu.org>:
Bug#696485; Package inkscape. (Fri, 21 Dec 2012 17:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Alex Valavanis <valavanisalex@gmail.com>:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@sigxcpu.org>. (Fri, 21 Dec 2012 17:57:03 GMT) (full text, mbox, link).

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex Valavanis <valavanisalex@gmail.com>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Debian Bug Tracking System <submit@bugs.debian.org>, control@bugs.debian.org
Subject: Re: Bug#696485: inkscape: CVE-2012-5656
Date: Fri, 21 Dec 2012 17:55:39 +0000
[Message part 1 (text/plain, inline)]
fowarded 696485 https://bugs.launchpad.net/inkscape/+bug/
thanks

Note that this issue is fixed upstream in Inkscape 0.48.4 along with many
other bugs. It would be a good idea to upgrade the package soon.
Package: inkscape
Severity: grave
Tags: security
Justification: user security hole

Hi,
CVE-2012-5656 was assigned to this security issues:
https://bugs.launchpad.net/inkscape/+bug/1025185

Fix: http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931

Cheers,
        Moritz

[Message part 2 (text/html, inline)]

Set Bug forwarded-to-address to 'https://bugs.launchpad.net/bugs/1025185'. Request was from Alex Valavanis <valavanisalex@gmail.com> to control@bugs.debian.org. (Fri, 21 Dec 2012 19:12:03 GMT) (full text, mbox, link).

Added tag(s) upstream, confirmed, and fixed-upstream. Request was from Alex Valavanis <valavanisalex@gmail.com> to control@bugs.debian.org. (Fri, 21 Dec 2012 19:12:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@sigxcpu.org>:
Bug#696485; Package inkscape. (Sun, 23 Dec 2012 17:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@sigxcpu.org>. (Sun, 23 Dec 2012 17:33:03 GMT) (full text, mbox, link).

Message #19 received at 696485@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Alex Valavanis <valavanisalex@gmail.com>, Wolfram Quester <wolfi@sigxcpu.org>, 696485@bugs.debian.org
Subject: Fix for Bug#696485: inkscape: CVE-2012-5656
Date: Sun, 23 Dec 2012 18:29:22 +0100
[Message part 1 (text/plain, inline)]
Hi there,

I have checked out the source for the Debian packaging from [1] and
ported the changes [2] to fix the vulnerability CVE-2012-5656. I have
created a patch and I would be willing to do an NMU to help closing
this bug.

Cheers,

Adrian

> [1] http://anonscm.debian.org/gitweb/?p=git/collab-maint/inkscape.git
> [2] http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

[inkscape-CVE-2012-5656.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> to control@bugs.debian.org. (Sun, 23 Dec 2012 17:33:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@sigxcpu.org>:
Bug#696485; Package inkscape. (Mon, 24 Dec 2012 01:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@sigxcpu.org>. (Mon, 24 Dec 2012 01:03:03 GMT) (full text, mbox, link).

Message #26 received at 696485@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: 696485@bugs.debian.org
Cc: Wolfram Quester <wolfi@sigxcpu.org>, Moritz Muehlenhoff <jmm@inutil.org>, Alex Valavanis <valavanisalex@gmail.com>
Subject: Re: Fix for Bug#696485: inkscape: CVE-2012-5656
Date: Mon, 24 Dec 2012 01:59:22 +0100
[Message part 1 (text/plain, inline)]
Hello,

after having a few problems building Inkscape (due to missing
libpoppler-private-dev as I checked out the Debian packaging source
from the git repository [1]), I managed to build Inkscape with my
patch (which also required an additional review).

I have committed all changes (including the previous NMU by Pino
Toscano) to the Debian packaging repository [1] and created patches
with git format-patch which can directly be applied, please find the
attached patches. Pino didn't seem to have his changes sent to the
Debian package maintainers of Inkscape (which is why his NMU doesn't
show up in the repository). Also, he made some changes to the previous
entry to the Debian changelog which I ignored such that the changelog
will continue where the original Debian maintainer left.

I have also attached my patch to fix CVE-2012-5656 as well and have
verified my changes to work with the demonstration from [2], Inkscape
is no longer vulnerable with my patch. It would still be nice if
someone could review the patch, however. Just to be double-safe.

In order to speed things up a bit, I have created an NMU and uploaded
my fixed package to the DELAYED queue with a delay of 5 days
[3]. Please feel free to remove the package from the queue if you are
unhappy with the changes.

PS: The Inkscape package contains lots of lintian warnings/errors
    which should be addressed in future uploads.

Cheers,

Adrian

> [1] git://git.debian.org/git/collab-maint/inkscape.git
> [2] https://bugs.launchpad.net/inkscape/+bug/1025185
> [3] http://ftp-master.debian.org/deferred.html

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

[0001-switch-the-libpng12-dev-build-dependency-to-libpng-d.patch (text/x-diff, attachment)]
[0002-Update-Debian-changelog-for-0.48.3.1-1.1.patch (text/x-diff, attachment)]
[0003-Add-Debian-patch-to-fix-vulnerability-CVE-2012-5656.patch (text/x-diff, attachment)]
[0004-Update-Debian-changelog-for-0.48.3.1-1.2.patch (text/x-diff, attachment)]
[03-CVE-2012-5656.diff (text/x-diff, attachment)]

Reply sent to John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>:
You have taken responsibility. (Sat, 29 Dec 2012 01:06:11 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Sat, 29 Dec 2012 01:06:11 GMT) (full text, mbox, link).

Message #31 received at 696485-close@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: 696485-close@bugs.debian.org
Subject: Bug#696485: fixed in inkscape 0.48.3.1-1.2
Date: Sat, 29 Dec 2012 01:03:28 +0000
Source: inkscape
Source-Version: 0.48.3.1-1.2

We believe that the bug you reported is fixed in the latest version of
inkscape, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696485@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> (supplier of updated inkscape package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 24 Dec 2012 00:58:56 +0100
Source: inkscape
Binary: inkscape
Architecture: source amd64
Version: 0.48.3.1-1.2
Distribution: unstable
Urgency: low
Maintainer: Wolfram Quester <wolfi@sigxcpu.org>
Changed-By: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Description: 
 inkscape   - vector-based drawing program
Closes: 696485
Changes: 
 inkscape (0.48.3.1-1.2) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Add Debian patch to fix vulnerability CVE-2012-5656 (Closes: #696485).
Checksums-Sha1: 
 bcb8edfb926d52efa6e3ffa11a90d61eb314eebf 2119 inkscape_0.48.3.1-1.2.dsc
 51fbd66702d188521086d3de792e158dd585122a 62553558 inkscape_0.48.3.1-1.2.tar.gz
 cbc483b0ec2c6fb4ba65743cbd688a7590763b63 24774774 inkscape_0.48.3.1-1.2_amd64.deb
Checksums-Sha256: 
 7168af1c5d024f3207c052e3e2448ce390c5d8e963f0a6929bc1534b53da9c13 2119 inkscape_0.48.3.1-1.2.dsc
 1af07668d40dbdbfb52d2577c8b7a54c7f69821b9a74a4f3af92c5e120cd8a9d 62553558 inkscape_0.48.3.1-1.2.tar.gz
 e816b8b31e066b34f27988f1f0e9407e668b8b9b552c080cbc57412fe06fbd12 24774774 inkscape_0.48.3.1-1.2_amd64.deb
Files: 
 b96bdc815cb92e1dfbe31731bbcbfc6f 2119 graphics optional inkscape_0.48.3.1-1.2.dsc
 cb2a09d9e469c02d9c478c4d8cbbd414 62553558 graphics optional inkscape_0.48.3.1-1.2.tar.gz
 2395eb1762faf3d6d88267b6496d1103 24774774 graphics optional inkscape_0.48.3.1-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ16L8AAoJEHQmOzf1tfkT3x8P/1vev0895989Exk6aPz4jUXD
ums2Lhr11dQ9DXGcgq8pUG0P/gUakeuh4rgsLqAbGRnIf4b2fF/SY7Jqpgy5kT6L
fR+9k6IFJYFBGJVf6EQhjgD8nEHWOOAXa4fQLKR47XJ7ca63wqX/+i8N1PbFlHdd
Tcz7aNFJwgGOfHKh4e1He064bTz/rBrI29VxLgNcni/udtYlZJ198FgzE1SJjx7Z
iQfJIHJouf5iOfkkRVXIUUr6wLj89cpPwzaFWshdi2v5qGxwJ9BBwpbyaFi+gugm
GCX1NrjSaBuf7XNatI4c49XXVxJ3XPIAB3bS3G+Iiwcm8Pe8mACRn1GC2GIJTYTQ
Z7oaxxgoxQo/e9rNKYJYunE5qlzDfyTw3PAFjrTGLEgnnYfzE5J0ta9a9lnAxsGy
3fKTom9uxMV18fLc0rbO4KrZIacg4eUebQtI/G+KX9CYU7as5WAA7Thc0LxZ1c/V
wUovCeD690IcFKjH2pGmPBdyHPNW11lCnIdPffLCr0yvPsQP5LwqLhjWKiRrj9Gc
FPguy587IhsCCmz2enw+c/tbgQ7ES3vltyVBXWiTNwRHp8mmo9dSVIQiEwTeT/R0
aoYyvjUsj7s7Ise55NmGMjNKFoxhbyGVRfurGaLJ8T1MC5hXRG+EUl6oDn7K2TnP
TcUiONVkx/Nl59Ku6AJm
=+gfb
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:23:48 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:05:21 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started