rpms/hugin/F-7 hugin-0.6.1-CVE-2007-5200.patch, NONE, 1.1 hugin.spec, 1.4, 1.5

Bruno Postle (bpostle) fedora-extras-commits at redhat.com
Mon Nov 5 22:07:40 UTC 2007 

Author: bpostle

Update of /cvs/pkgs/rpms/hugin/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27548/F-7

Modified Files:
	hugin.spec 
Added Files:
	hugin-0.6.1-CVE-2007-5200.patch 
Log Message:
FC-6, F-7, F-8 and devel fixes for CVE-2007-5200 bug #332401


hugin-0.6.1-CVE-2007-5200.patch:

--- NEW FILE hugin-0.6.1-CVE-2007-5200.patch ---
Modified: hugin/branches/stable/src/Panorama/PTOptimise.cpp
===================================================================
--- hugin/tags/hugin-0-6-1/src/Panorama/PTOptimise.cpp	2007-10-24 19:30:32 UTC (rev 2491)
+++ hugin/branches/stable/src/Panorama/PTOptimise.cpp	2007-10-24 19:42:36 UTC (rev 2492)
@@ -36,9 +36,6 @@
 #include <boost/property_map.hpp>
 #include <boost/graph/graph_utility.hpp>
 
-#define DEBUG_WRITE_OPTIM_OUTPUT
-#define DEBUG_WRITE_OPTIM_OUTPUT_FILE "hugin_debug_optim_results.txt"
-
 using namespace std;
 using namespace PT;
 using namespace PTools;
@@ -132,13 +129,6 @@
 			RunLMOptimizer( &opt );
 			ainf.data		= opt.message;
             // get results from align info.
-#ifdef DEBUG_WRITE_OPTIM_OUTPUT
-            fullPath path;
-            StringtoFullPath(&path, DEBUG_WRITE_OPTIM_OUTPUT_FILE );
-
-		    ainf.data		= opt.message;
-            WriteResults( script, &path, &ainf, distSquared, 0);
-#endif
             pano.updateVariables(GetAlignInfoVariables(ainf) );
             pano.updateCtrlPointErrors( GetAlignInfoCtrlPoints(ainf) );
 		}

Modified: hugin/branches/stable/src/hugin/AutoCtrlPointCreator.cpp
===================================================================
--- hugin/tags/hugin-0-6-1/src/hugin/AutoCtrlPointCreator.cpp	2007-10-24 19:30:32 UTC (rev 2491)
+++ hugin/branches/stable/src/hugin/AutoCtrlPointCreator.cpp	2007-10-24 19:42:36 UTC (rev 2492)
@@ -225,7 +225,7 @@
 	}
 #endif
 
-    wxString ptofile(wxT("autopano_result_tempfile.pto"));
+    wxString ptofile = wxFileName::CreateTempFileName(wxT("ap_res"));
     autopanoArgs.Replace(wxT("%o"), ptofile);
     wxString tmp;
     tmp.Printf(wxT("%d"), nFeatures);
@@ -415,7 +415,7 @@
         imgNr++;
     }
 
-    wxString ptofile(wxT("autopano_result_tempfile"));
+    wxString ptofile = wxFileName::CreateTempFileName(wxT("ap_res"));
     autopanoArgs.Replace(wxT("%o"), ptofile);
     wxString tmp;
     tmp.Printf(wxT("%d"), nFeatures);




Index: hugin.spec
===================================================================
RCS file: /cvs/pkgs/rpms/hugin/F-7/hugin.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- hugin.spec	20 Aug 2007 20:36:58 -0000	1.4
+++ hugin.spec	5 Nov 2007 22:07:06 -0000	1.5
@@ -1,10 +1,10 @@
 Summary: Frontend for Panorama Tools, similar to PTAssembler, PTGui or Open for Windows
 Name: hugin
 Version: 0.6.1
-Release: 7%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: Applications/Multimedia
-Source0: http://prdownloads.sourceforge.net/hugin/%{name}-%{version}.tar.bz2
+Source: http://downloads.sourceforge.net/hugin/%{name}-%{version}.tar.bz2
 URL: http://hugin.sourceforge.net/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: libpano12 > 2.8.3 wxGTK >= 2.6.0 boost enblend
@@ -12,6 +12,7 @@
 BuildRequires: libpano12-devel > 2.8.3 zlib-devel libtiff-devel libjpeg-devel
 BuildRequires: libpng-devel gettext-devel wxGTK-devel >= 2.6.0 boost-devel
 BuildRequires: desktop-file-utils
+Patch0: hugin-0.6.1-CVE-2007-5200.patch
 
 %description
 hugin can be used to stitch multiple images together. The resulting image can
@@ -21,6 +22,7 @@
 
 %prep
 %setup -q
+%patch0 -p3
 # autopanog.exe is a mono app
 sed -i 's/"autopanog.exe"/"mono `which autopanog.exe`"/' \
        src/include/hugin/config_defaults.h
@@ -74,6 +76,12 @@
 %doc ABOUT-NLS AUTHORS BUGS ChangeLog COPYING INSTALL LICENCE NEWS README TODO src/hugin/xrc/data/*.htm src/hugin/xrc/data/*.html src/hugin/xrc/data/help_en_EN src/hugin/xrc/data/help_fr_FR HACKING LICENCE_JHEAD LICENCE_VIGRA doc/nona.txt
 
 %changelog
+* Mon Nov 05 2007 Bruno Postle <bruno at postle.net> 0.6.1-10
+- fix for CVE-2007-5200 hugin unsafe temporary file usage
+- bug #332401; bug #362851; bug #362861; bug #362871
+- fix Source tag
+- update license GPL -> GPLv2+
+
 * Mon Aug 13 2007 Bruno Postle <bruno at postle.net> 0.6.1-7
 - rebuild for boost soname change
 - add enblend dependency as enblend is now in fedora

More information about the fedora-extras-commits mailing list