gnu/packages/patches/a2ps-CVE-2014-0466.patch

   1 Description: CVE-2014-0466: fixps does not invoke gs with -dSAFER
   2  A malicious PostScript file could delete files with the privileges of
   3  the invoking user.
   4 Origin: vendor
   5 Bug-Debian: http://bugs.debian.org/742902
   6 Author: Salvatore Bonaccorso <carnil@debian.org>
   7 Last-Update: 2014-03-28
   8
   9 --- a/contrib/fixps.in
  10 +++ b/contrib/fixps.in
  11 @@ -389,7 +389,7 @@
  12         eval "$command" ;;
  13        gs)
  14          $verbose "$program: making a full rewrite of the file ($gs)." >&2
  15 -       $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
  16 +       $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
  17      esac
  18    )
  19  fi
  20 --- a/contrib/fixps.m4
  21 +++ b/contrib/fixps.m4
  22 @@ -307,7 +307,7 @@
  23         eval "$command" ;;
  24        gs)
  25          $verbose "$program: making a full rewrite of the file ($gs)." >&2
  26 -       $gs -q -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
  27 +       $gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pswrite -sOutputFile=- -c save pop -f $file ;;
  28      esac
  29    )
  30  fi