diff --git a/CVE-2014-0466.diff b/CVE-2014-0466.diff new file mode 100644 index 0000000..82858ee --- /dev/null +++ b/CVE-2014-0466.diff @@ -0,0 +1,30 @@ +Description: CVE-2014-0466: fixps does not invoke gs with -dSAFER + A malicious PostScript file could delete files with the privileges of + the invoking user. +Origin: vendor +Bug-Debian: http://bugs.debian.org/742902 +Author: Salvatore Bonaccorso +Last-Update: 2014-03-28 + +--- a/contrib/fixps.in ++++ b/contrib/fixps.in +@@ -389,7 +389,7 @@ + eval "$command" ;; + gs) + $verbose "$program: making a full rewrite of the file ($gs)." >&2 +- $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; ++ $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; + esac + ) + fi +--- a/contrib/fixps.m4 ++++ b/contrib/fixps.m4 +@@ -307,7 +307,7 @@ + eval "$command" ;; + gs) + $verbose "$program: making a full rewrite of the file ($gs)." >&2 +- $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; ++ $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f "$file" ;; + esac + ) + fi diff --git a/a2ps.changes b/a2ps.changes index 2c563fa..6318fd2 100644 --- a/a2ps.changes +++ b/a2ps.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Mar 31 08:08:37 UTC 2014 - werner@suse.de + +- Add patch CVE-2014-0466.diff to fix bnc#871097 - CVE-2014-0466: + fixps does not use -dSAFER + ------------------------------------------------------------------- Mon Dec 9 13:56:20 UTC 2013 - werner@suse.de diff --git a/a2ps.spec b/a2ps.spec index b5461c8..f695b53 100644 --- a/a2ps.spec +++ b/a2ps.spec @@ -1,7 +1,7 @@ # # spec file for package a2ps # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -62,6 +62,8 @@ Patch10: a2ps-4.13-types.patch Patch11: a2ps-4.13-psgen.patch Patch12: a2ps-4.13-gv-arguments.patch Patch13: a2ps-4.13-linker.patch +# PATCH-FIX-USTREAM Bug 871097 - CVE-2014-0466: a2ps: fixps does not use -dSAFER +Patch14: CVE-2014-0466.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -105,6 +107,7 @@ touch -r configure.in .ref %patch -P 11 -p 0 -b .psgen %patch -P 12 -p 1 -b .gvarg %patch -P 13 -p 0 -b .ldso +%patch -P 14 -p 1 -b .cve140466 %patch cp -f %SOURCE1 po/ko.po rename no nb po/no.*