a2ps/CVE-2014-0466.diff

Description: CVE-2014-0466: fixps does not invoke gs with -dSAFER
 A malicious PostScript file could delete files with the privileges of
 the invoking user.
Origin: vendor
Bug-Debian: http://bugs.debian.org/742902
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2014-03-28

diff -rupN a2ps-4.14.old/contrib/fixps.in a2ps-4.14/contrib/fixps.in
--- a2ps-4.14.old/contrib/fixps.in	2007-12-28 19:29:01.000000000 -0800
+++ a2ps-4.14/contrib/fixps.in	2014-08-06 21:11:17.114518845 -0700
@@ -389,7 +389,7 @@ if test $task != check; then
   	eval "$command" ;;
       gs)
         $verbose "$program: making a full rewrite of the file ($gs)." >&2
-  	$gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
+  	$gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
     esac
   )
 fi
diff -rupN a2ps-4.14.old/contrib/fixps.m4 a2ps-4.14/contrib/fixps.m4
--- a2ps-4.14.old/contrib/fixps.m4	2007-12-28 18:11:47.000000000 -0800
+++ a2ps-4.14/contrib/fixps.m4	2014-08-06 21:11:40.529942880 -0700
@@ -307,7 +307,7 @@ if test $task != check; then
   	eval "$command" ;;
       gs)
         $verbose "$program: making a full rewrite of the file ($gs)." >&2
-  	$gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
+  	$gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
     esac
   )
 fi
. OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=31 2014-03-31 10:09:40 +02:00			`Description: CVE-2014-0466: fixps does not invoke gs with -dSAFER`
			`A malicious PostScript file could delete files with the privileges of`
			`the invoking user.`
			`Origin: vendor`
			`Bug-Debian: http://bugs.debian.org/742902`
			`Author: Salvatore Bonaccorso <carnil@debian.org>`
			`Last-Update: 2014-03-28`

Accepting request 243897 from home:sfalken:branches:Publishing - Updated to 4.14 * No UTF-8 Support yet, Basically a maintenance release. * GNU a2ps is now licensed under GPLv3 or later * Can now be built with Modern GNU Autotools, and gcc>=3.4 * Numerous minor bugfixes, including: * input buffer overflow * IA64, PPC, and AMD64 fixes * Several security issues (CVE-2004-1377) * Addition of a number of new stylesheets * Translations for Japanese, Dutch, and French added/updated - Patches rebased for 4.14 sources * Added: a2ps-4.14-acroread.patch a2ps-4.14-linker.patch a2ps-4.14-ogonkify.patch a2ps-4.14-tempfile.patch a2ps-4.14.diff * Removed: a2ps-4.13.acroread.patch a2ps-4.13.linker.patch a2ps-4.13-ogonkify.patch a2ps-4.13-tempfile.patch a2ps-4.13.dif a2ps-4.13-gv-arguments.patch a2ps-4.13-nb.patch a2ps-4.13-space.patch * Modified: CVE-2014-0466.diff - Deleted a2ps-4.13.tar.gz, replaced with a2ps-4.14.tar.gz - a2ps.spec cleanup, and updating to work with new sources. OBS-URL: https://build.opensuse.org/request/show/243897 OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=36 2014-08-09 20:32:57 +02:00			`diff -rupN a2ps-4.14.old/contrib/fixps.in a2ps-4.14/contrib/fixps.in`
			`--- a2ps-4.14.old/contrib/fixps.in 2007-12-28 19:29:01.000000000 -0800`
			`+++ a2ps-4.14/contrib/fixps.in 2014-08-06 21:11:17.114518845 -0700`
			`@@ -389,7 +389,7 @@ if test $task != check; then`
. OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=31 2014-03-31 10:09:40 +02:00			`eval "$command" ;;`
			`gs)`
			`$verbose "$program: making a full rewrite of the file ($gs)." >&2`
Accepting request 243897 from home:sfalken:branches:Publishing - Updated to 4.14 * No UTF-8 Support yet, Basically a maintenance release. * GNU a2ps is now licensed under GPLv3 or later * Can now be built with Modern GNU Autotools, and gcc>=3.4 * Numerous minor bugfixes, including: * input buffer overflow * IA64, PPC, and AMD64 fixes * Several security issues (CVE-2004-1377) * Addition of a number of new stylesheets * Translations for Japanese, Dutch, and French added/updated - Patches rebased for 4.14 sources * Added: a2ps-4.14-acroread.patch a2ps-4.14-linker.patch a2ps-4.14-ogonkify.patch a2ps-4.14-tempfile.patch a2ps-4.14.diff * Removed: a2ps-4.13.acroread.patch a2ps-4.13.linker.patch a2ps-4.13-ogonkify.patch a2ps-4.13-tempfile.patch a2ps-4.13.dif a2ps-4.13-gv-arguments.patch a2ps-4.13-nb.patch a2ps-4.13-space.patch * Modified: CVE-2014-0466.diff - Deleted a2ps-4.13.tar.gz, replaced with a2ps-4.14.tar.gz - a2ps.spec cleanup, and updating to work with new sources. OBS-URL: https://build.opensuse.org/request/show/243897 OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=36 2014-08-09 20:32:57 +02:00			`- $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;`
			`+ $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;`
. OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=31 2014-03-31 10:09:40 +02:00			`esac`
			`)`
			`fi`
Accepting request 243897 from home:sfalken:branches:Publishing - Updated to 4.14 * No UTF-8 Support yet, Basically a maintenance release. * GNU a2ps is now licensed under GPLv3 or later * Can now be built with Modern GNU Autotools, and gcc>=3.4 * Numerous minor bugfixes, including: * input buffer overflow * IA64, PPC, and AMD64 fixes * Several security issues (CVE-2004-1377) * Addition of a number of new stylesheets * Translations for Japanese, Dutch, and French added/updated - Patches rebased for 4.14 sources * Added: a2ps-4.14-acroread.patch a2ps-4.14-linker.patch a2ps-4.14-ogonkify.patch a2ps-4.14-tempfile.patch a2ps-4.14.diff * Removed: a2ps-4.13.acroread.patch a2ps-4.13.linker.patch a2ps-4.13-ogonkify.patch a2ps-4.13-tempfile.patch a2ps-4.13.dif a2ps-4.13-gv-arguments.patch a2ps-4.13-nb.patch a2ps-4.13-space.patch * Modified: CVE-2014-0466.diff - Deleted a2ps-4.13.tar.gz, replaced with a2ps-4.14.tar.gz - a2ps.spec cleanup, and updating to work with new sources. OBS-URL: https://build.opensuse.org/request/show/243897 OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=36 2014-08-09 20:32:57 +02:00			`diff -rupN a2ps-4.14.old/contrib/fixps.m4 a2ps-4.14/contrib/fixps.m4`
			`--- a2ps-4.14.old/contrib/fixps.m4 2007-12-28 18:11:47.000000000 -0800`
			`+++ a2ps-4.14/contrib/fixps.m4 2014-08-06 21:11:40.529942880 -0700`
			`@@ -307,7 +307,7 @@ if test $task != check; then`
. OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=31 2014-03-31 10:09:40 +02:00			`eval "$command" ;;`
			`gs)`
			`$verbose "$program: making a full rewrite of the file ($gs)." >&2`
Accepting request 243897 from home:sfalken:branches:Publishing - Updated to 4.14 * No UTF-8 Support yet, Basically a maintenance release. * GNU a2ps is now licensed under GPLv3 or later * Can now be built with Modern GNU Autotools, and gcc>=3.4 * Numerous minor bugfixes, including: * input buffer overflow * IA64, PPC, and AMD64 fixes * Several security issues (CVE-2004-1377) * Addition of a number of new stylesheets * Translations for Japanese, Dutch, and French added/updated - Patches rebased for 4.14 sources * Added: a2ps-4.14-acroread.patch a2ps-4.14-linker.patch a2ps-4.14-ogonkify.patch a2ps-4.14-tempfile.patch a2ps-4.14.diff * Removed: a2ps-4.13.acroread.patch a2ps-4.13.linker.patch a2ps-4.13-ogonkify.patch a2ps-4.13-tempfile.patch a2ps-4.13.dif a2ps-4.13-gv-arguments.patch a2ps-4.13-nb.patch a2ps-4.13-space.patch * Modified: CVE-2014-0466.diff - Deleted a2ps-4.13.tar.gz, replaced with a2ps-4.14.tar.gz - a2ps.spec cleanup, and updating to work with new sources. OBS-URL: https://build.opensuse.org/request/show/243897 OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=36 2014-08-09 20:32:57 +02:00			`- $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;`
			`+ $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;`
. OBS-URL: https://build.opensuse.org/package/show/Publishing/a2ps?expand=0&rev=31 2014-03-31 10:09:40 +02:00			`esac`
			`)`
			`fi`