[Git][debian-gis-team/freexl][master] 7 commits: New upstream version 1.0.5
Bas Couwenberg
gitlab at salsa.debian.org
Thu Feb 22 21:22:03 UTC 2018
Bas Couwenberg pushed to branch master at Debian GIS Project / freexl
Commits:
f45c3aae by Bas Couwenberg at 2018-02-22T21:51:13+01:00
New upstream version 1.0.5
- - - - -
a0094dff by Bas Couwenberg at 2018-02-22T21:51:24+01:00
Merge tag 'upstream/1.0.5'
Upstream version 1.0.5
- - - - -
a853b8e8 by Bas Couwenberg at 2018-02-22T21:53:39+01:00
New upstream release.
Fixes security issues:
- https://bugzilla.redhat.com/show_bug.cgi?id=1547879
- https://bugzilla.redhat.com/show_bug.cgi?id=1547883
- https://bugzilla.redhat.com/show_bug.cgi?id=1547885
- https://bugzilla.redhat.com/show_bug.cgi?id=1547889
- https://bugzilla.redhat.com/show_bug.cgi?id=1547892
- - - - -
275b58cd by Bas Couwenberg at 2018-02-22T22:02:10+01:00
Drop obsolete dbg package.
- - - - -
1653bdd4 by Bas Couwenberg at 2018-02-22T22:02:10+01:00
Bump Standards-Version to 4.1.3, no changes.
- - - - -
c9874eaf by Bas Couwenberg at 2018-02-22T22:17:02+01:00
Add lintian override for debian-watch-uses-insecure-uri.
- - - - -
1f3c2431 by Bas Couwenberg at 2018-02-22T22:17:02+01:00
Set distribution to unstable.
- - - - -
9 changed files:
- config-msvc.h
- configure
- configure.ac
- debian/changelog
- debian/control
- debian/rules
- + debian/source/lintian-overrides
- headers/freexl.h
- src/freexl.c
Changes:
=====================================
config-msvc.h
=====================================
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -86,7 +86,7 @@
#define PACKAGE_NAME "FreeXL"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "FreeXL 1.0.4"
+#define PACKAGE_STRING "FreeXL 1.0.5"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "freexl"
@@ -95,7 +95,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.0.4"
+#define PACKAGE_VERSION "1.0.5"
/* Define to 1 if you have the ANSI C header files. */
#define STDC_HEADERS 1
@@ -107,7 +107,7 @@
/* #undef TM_IN_SYS_TIME */
/* Version number of package */
-#define VERSION "1.0.4"
+#define VERSION "1.0.5"
/* Define to empty if `const' does not conform to ANSI C. */
/* #undef const */
=====================================
configure
=====================================
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for FreeXL 1.0.4.
+# Generated by GNU Autoconf 2.69 for FreeXL 1.0.5.
#
# Report bugs to <a.furieri at lqt.it>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='FreeXL'
PACKAGE_TARNAME='freexl'
-PACKAGE_VERSION='1.0.4'
-PACKAGE_STRING='FreeXL 1.0.4'
+PACKAGE_VERSION='1.0.5'
+PACKAGE_STRING='FreeXL 1.0.5'
PACKAGE_BUGREPORT='a.furieri at lqt.it'
PACKAGE_URL=''
@@ -1326,7 +1326,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures FreeXL 1.0.4 to adapt to many kinds of systems.
+\`configure' configures FreeXL 1.0.5 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1396,7 +1396,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of FreeXL 1.0.4:";;
+ short | recursive ) echo "Configuration of FreeXL 1.0.5:";;
esac
cat <<\_ACEOF
@@ -1508,7 +1508,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-FreeXL configure 1.0.4
+FreeXL configure 1.0.5
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2052,7 +2052,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by FreeXL $as_me 1.0.4, which was
+It was created by FreeXL $as_me 1.0.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2923,7 +2923,7 @@ fi
# Define the identity of the package.
PACKAGE='freexl'
- VERSION='1.0.4'
+ VERSION='1.0.5'
cat >>confdefs.h <<_ACEOF
@@ -17813,7 +17813,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by FreeXL $as_me 1.0.4, which was
+This file was extended by FreeXL $as_me 1.0.5, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -17879,7 +17879,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-FreeXL config.status 1.0.4
+FreeXL config.status 1.0.5
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
=====================================
configure.ac
=====================================
--- a/configure.ac
+++ b/configure.ac
@@ -2,7 +2,7 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.61)
-AC_INIT(FreeXL, 1.0.4, a.furieri at lqt.it)
+AC_INIT(FreeXL, 1.0.5, a.furieri at lqt.it)
AC_LANG(C)
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_MACRO_DIR([m4])
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,18 @@
-freexl (1.0.4-2) UNRELEASED; urgency=medium
-
- * Change priority for libfreexl1-dbg from extra to optional.
- * Bump Standards-Version to 4.1.1, changes: priority.
+freexl (1.0.5-1) unstable; urgency=high
+
+ * New upstream release. Fixes security issues:
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ - https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ * Bump Standards-Version to 4.1.3, no changes.
* Strip trailing whitespace from changelog.
* Update copyright-format URL to use HTTPS.
+ * Drop obsolete dbg package.
+ * Add lintian override for debian-watch-uses-insecure-uri.
- -- Bas Couwenberg <sebastic at debian.org> Sun, 24 Sep 2017 12:51:11 +0200
+ -- Bas Couwenberg <sebastic at debian.org> Thu, 22 Feb 2018 21:58:18 +0100
freexl (1.0.4-1) unstable; urgency=medium
=====================================
debian/control
=====================================
--- a/debian/control
+++ b/debian/control
@@ -4,10 +4,10 @@ Uploaders: David Paleino <dapal at debian.org>,
Bas Couwenberg <sebastic at debian.org>
Section: libs
Priority: optional
-Build-Depends: debhelper (>= 9~),
+Build-Depends: debhelper (>= 9.20160114),
autotools-dev,
dh-autoreconf
-Standards-Version: 4.1.1
+Standards-Version: 4.1.3
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/freexl.git
Vcs-Git: https://anonscm.debian.org/git/pkg-grass/freexl.git
Homepage: https://www.gaia-gis.it/fossil/freexl/
@@ -42,18 +42,3 @@ Description: library for direct reading of Microsoft Excel spreadsheets
.
This package contains the shared library.
-Package: libfreexl1-dbg
-Architecture: any
-Multi-Arch: same
-Section: debug
-Depends: libfreexl1 (= ${binary:Version}),
- ${misc:Depends}
-Description: library for direct reading of Microsoft Excel spreadsheets - debug
- FreeXL is a C library implementing direct reading of Microsoft Excel
- spreadsheets, up to the BIFF8 file format specification (i.e. .xls, Microsoft
- Excel XP/2003 and older).
- The XML SS file format specification (.xlsx, Microsoft Excel 2007 and newer) is
- not supported.
- .
- This package contains the debugging symbols.
-
=====================================
debian/rules
=====================================
--- a/debian/rules
+++ b/debian/rules
@@ -21,5 +21,5 @@ override_dh_makeshlibs:
dh_makeshlibs -- -v$(UPSTREAM_VERSION)
override_dh_strip:
- dh_strip --dbg-package=libfreexl1-dbg
+ dh_strip --dbgsym-migration='libfreexl1-dbg (<< 1.0.5)'
=====================================
debian/source/lintian-overrides
=====================================
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,4 @@
+# HTTPS requests result in 403 Forbidden:
+# https://groups.google.com/d/topic/spatialite-users/f44JI1Lijeg/discussion
+freexl source: debian-watch-uses-insecure-uri http://www.gaia-gis.it/gaia-sins/*-sources
+
=====================================
headers/freexl.h
=====================================
--- a/headers/freexl.h
+++ b/headers/freexl.h
@@ -292,6 +292,11 @@ extern "C"
#define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY -25 /**< The MiniFAT stream
contains an invalid entry.
Possibly a corrupt file. */
+#define FREEXL_CRAFTED_FILE -26 /**< A severely corrupted file
+ (may be purposely crafted for
+ malicious purposes) has been
+ detected. */
+
/**
Container for a cell value
=====================================
src/freexl.c
=====================================
--- a/src/freexl.c
+++ b/src/freexl.c
@@ -1109,6 +1109,11 @@ allocate_cells (biff_workbook * workbook)
return FREEXL_INSUFFICIENT_MEMORY;
/* allocating the cell values array */
+ if (workbook->active_sheet->rows * workbook->active_sheet->columns <= 0)
+ {
+ workbook->active_sheet->cell_values = NULL;
+ return FREEXL_OK;
+ }
workbook->active_sheet->cell_values =
malloc (sizeof (biff_cell_value) *
(workbook->active_sheet->rows *
@@ -1801,6 +1806,12 @@ parse_SST (biff_workbook * workbook, int swap)
unsigned int i;
for (i = 0; i < len; i++)
{
+ if (p_string - workbook->record >=
+ workbook->record_size)
+ {
+ /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
+ return FREEXL_CRAFTED_FILE;
+ }
*(utf16_buf + (utf16_off * 2) + (i * 2)) =
*p_string;
p_string++;
@@ -1912,6 +1923,11 @@ parse_SST (biff_workbook * workbook, int swap)
return FREEXL_OK;
}
+ if (len <= 0)
+ {
+ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
+ return FREEXL_CRAFTED_FILE;
+ }
if (!parse_unicode_string
(workbook->utf16_converter, len, utf16, p_string, &utf8_string))
return FREEXL_INVALID_CHARACTER;
@@ -3070,6 +3086,11 @@ parse_biff_record (biff_workbook * workbook, int swap)
if (swap)
swap32 (&offset);
len = workbook->record[6];
+ if (len <= 0)
+ {
+ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
+ return FREEXL_CRAFTED_FILE;
+ }
if (workbook->biff_version == FREEXL_BIFF_VER_5)
{
/* BIFF5: codepage text */
@@ -3229,6 +3250,11 @@ parse_biff_record (biff_workbook * workbook, int swap)
get_unicode_params (p_string, swap, &start_offset, &utf16,
&extra_skip);
p_string += start_offset;
+ if (len <= 0)
+ {
+ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
+ return FREEXL_CRAFTED_FILE;
+ }
if (!parse_unicode_string
(workbook->utf16_converter, len, utf16, p_string,
&utf8_string))
@@ -3623,6 +3649,11 @@ parse_biff_record (biff_workbook * workbook, int swap)
get_unicode_params (p_string, swap, &start_offset, &utf16,
&extra_skip);
p_string += start_offset;
+ if (len <= 0)
+ {
+ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
+ return FREEXL_CRAFTED_FILE;
+ }
if (!parse_unicode_string
(workbook->utf16_converter, len, utf16, p_string,
&utf8_string))
@@ -3905,6 +3936,9 @@ read_mini_biff_next_record (biff_workbook * workbook, int swap, int *errcode)
workbook->record_type = record_type.value;
workbook->record_size = record_size.value;
+ if (workbook->record_size >= 8192)
+ return 0; /* malformed or crafted file */
+
if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
(int) workbook->size)
return 0; /* unexpected EOF */
View it on GitLab: https://salsa.debian.org/debian-gis-team/freexl/compare/58b151e13616c393e94fe6663152dc44afff0c8e...1f3c243177f3c4fb9a84e04fa2caf3db8eb506d1
---
View it on GitLab: https://salsa.debian.org/debian-gis-team/freexl/compare/58b151e13616c393e94fe6663152dc44afff0c8e...1f3c243177f3c4fb9a84e04fa2caf3db8eb506d1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20180222/8c1c340c/attachment-0001.html>
More information about the Pkg-grass-devel
mailing list