Your message dated Sat, 02 Apr 2016 14:20:04 +0100 with message-id <1459603204.2441.216.camel@adam-barratt.org.uk> and subject line Fix included in stable has caused the Debian Bug report #812362, regarding jessie-pu: package giflib/4.1.6-11+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 812362: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812362 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package giflib/4.1.6-11+deb8u1
- From: Guido Günther <agx@sigxcpu.org>
- Date: Fri, 22 Jan 2016 19:49:11 +0100
- Message-id: <20160122184911.GA2537@bogon.m.sigxcpu.org>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, I'd like to fix CVE-2015-7555 via jessie-pu since the bug is fixed in Squeeze LTS and we try to not introduce new security issues when people upgrade (the Debian security team marked this CVE as no-dsa). Please find the debdiff attached. Cheers, -- Guido -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)diff --git a/debian/changelog b/debian/changelog index d1fa6ba..d35e960 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +giflib (4.1.6-11+deb8u1) stable-proposed-updates; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * CVE-2015-7555: bail out if Width > SWidth. + Cherry-picked upstream commit 179510be300bf11115e37528d79619b53c884a63 + (Closes: #808704) + + -- Guido Günther <agx@sigxcpu.org> Mon, 18 Jan 2016 17:08:39 +0100 + giflib (4.1.6-11) unstable; urgency=low * Remove Provides: libungif4g. diff --git a/debian/patches/CVE-2015-7555-bail-out-if-Width-SWidth.patch b/debian/patches/CVE-2015-7555-bail-out-if-Width-SWidth.patch new file mode 100644 index 0000000..e660bea --- /dev/null +++ b/debian/patches/CVE-2015-7555-bail-out-if-Width-SWidth.patch @@ -0,0 +1,22 @@ +From: "Eric S. Raymond" <esr@thyrsus.com> +Date: Tue, 5 Jan 2016 23:01:45 -0500 +Subject: CVE-2015-7555: bail out if Width > SWidth + +Cherry-picked upstream commit 179510be300bf11115e37528d79619b53c884a63 +--- + util/giffix.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/util/giffix.c b/util/giffix.c +index 247305e..408d429 100644 +--- a/util/giffix.c ++++ b/util/giffix.c +@@ -137,6 +137,8 @@ int main(int argc, char **argv) + Height = GifFileIn->Image.Height; + GifQprintf("\n%s: Image %d at (%d, %d) [%dx%d]: ", + PROGRAM_NAME, ++ImageNum, Col, Row, Width, Height); ++ if (Width > GifFileIn->SWidth) ++ GIF_EXIT("Image is wider than total"); + + /* Put the image descriptor to out file: */ + if (EGifPutImageDesc(GifFileOut, Col, Row, Width, Height, diff --git a/debian/patches/series b/debian/patches/series index 3bcfb21..e297c1f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 02-doc_fixes.patch 03-spelling_fixes.patch 04-fprintf_format_error.patch +CVE-2015-7555-bail-out-if-Width-SWidth.patch
--- End Message ---
--- Begin Message ---
- To: 784679-done@bugs.debian.org, 784915-done@bugs.debian.org, 785047-done@bugs.debian.org, 785053-done@bugs.debian.org, 796947-done@bugs.debian.org, 797769-done@bugs.debian.org, 797906-done@bugs.debian.org, 798404-done@bugs.debian.org, 798949-done@bugs.debian.org, 801551-done@bugs.debian.org, 803199-done@bugs.debian.org, 804385-done@bugs.debian.org, 807969-done@bugs.debian.org, 810882-done@bugs.debian.org, 811024-done@bugs.debian.org, 811395-done@bugs.debian.org, 811425-done@bugs.debian.org, 812362-done@bugs.debian.org, 812500-done@bugs.debian.org, 812961-done@bugs.debian.org, 812990-done@bugs.debian.org, 813004-done@bugs.debian.org, 813071-done@bugs.debian.org, 813622-done@bugs.debian.org, 813645-done@bugs.debian.org, 814266-done@bugs.debian.org, 814269-done@bugs.debian.org, 814442-done@bugs.debian.org, 814651-done@bugs.debian.org, 815356-done@bugs.debian.org, 815469-done@bugs.debian.org, 815517-done@bugs.debian.org, 815520-done@bugs.debian.org, 815561-done@bugs.debian.org, 815598-done@bugs.debian.org, 815730-done@bugs.debian.org, 815788-done@bugs.debian.org, 816023-done@bugs.debian.org, 816033-done@bugs.debian.org, 816198-done@bugs.debian.org, 816243-done@bugs.debian.org, 816686-done@bugs.debian.org, 816697-done@bugs.debian.org, 816891-done@bugs.debian.org, 817015-done@bugs.debian.org, 817897-done@bugs.debian.org, 817970-done@bugs.debian.org, 817992-done@bugs.debian.org, 818006-done@bugs.debian.org, 818150-done@bugs.debian.org, 818532-done@bugs.debian.org, 818615-done@bugs.debian.org, 818620-done@bugs.debian.org, 818672-done@bugs.debian.org, 818679-done@bugs.debian.org, 818689-done@bugs.debian.org, 818801-done@bugs.debian.org, 819000-done@bugs.debian.org, 819031-done@bugs.debian.org, 819119-done@bugs.debian.org, 819201-done@bugs.debian.org, 819227-done@bugs.debian.org, 819243-done@bugs.debian.org, 819292-done@bugs.debian.org, 819326-done@bugs.debian.org, 819409-done@bugs.debian.org
- Subject: Fix included in stable
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 02 Apr 2016 14:20:04 +0100
- Message-id: <1459603204.2441.216.camel@adam-barratt.org.uk>
Version: 8.4 Hi, The packages referenced by these bugs were included in today's stable point release. Regards, Adam
--- End Message ---