Bas Couwenberg · Bas Couwenberg · Bas Couwenberg · Bas Couwenberg · Bas Couwenberg · Bas Couwenberg
--- a/debian/changelog
+++ b/debian/changelog
+gdal (2.4.2+dfsg-2) unstable; urgency=medium
+
+  * Bump Standards-Version to 4.4.1, no changes.
+  * Update PIE hardening conditional, trusty is EOL.
+  * Re-enable CFITSIO support, license issues are resolved.
+    (closes: #932464)
+  * Add upstream patch to fix CVE-2019-17545.
+  * Add lintian override for spelling-error-in-binary.
+  * Add lintian override for spelling-error-in-binary false positive.
+  * Update lintian overrides for file-references-package-build-path.
+
+ -- Bas Couwenberg <sebastic@debian.org>  Tue, 15 Oct 2019 09:42:55 +0200
+
 gdal (2.4.2+dfsg-1) unstable; urgency=medium

  * New upstream release.

--- a/debian/control
+++ b/debian/control
@@ -14,6 +14,7 @@ Build-Depends: debhelper (>= 9.20160114),
               ant,
               chrpath,
               libarmadillo-dev,
+               libcfitsio-dev,
               libcharls-dev,
               libcurl4-gnutls-dev | libcurl-ssl-dev,
               libdap-dev,
@@ -63,7 +64,7 @@ Build-Depends: debhelper (>= 9.20160114),
               zlib1g-dev
 Build-Conflicts: automake1.11,
                 python-setuptools
-Standards-Version: 4.3.0
+Standards-Version: 4.4.1
 Vcs-Browser: https://salsa.debian.org/debian-gis-team/gdal
 Vcs-Git: https://salsa.debian.org/debian-gis-team/gdal.git
 Homepage: http://www.gdal.org/
@@ -102,6 +103,7 @@ Section: libdevel
 Depends: libgdal20 (= ${binary:Version}),
         libc6-dev,
         libarmadillo-dev,
+         libcfitsio-dev,
         libcharls-dev,
         libcurl4-gnutls-dev | libcurl-ssl-dev,
         libdap-dev,

--- a/debian/libgdal-dev.lintian-overrides
+++ b/debian/libgdal-dev.lintian-overrides
@@ -7,3 +7,6 @@ copyright-year-in-future 3131 *
 # GDAL doesn't use Multi-Arch, it breaks too many rdeps
 pkg-config-unavailable-for-cross-compilation usr/lib/pkgconfig/gdal.pc

+# Cannot easily be fixed
+file-references-package-build-path *
+
--- a/debian/libgdal-java.lintian-overrides
+++ b/debian/libgdal-java.lintian-overrides
 # False positive on: "(319) 369-3131"
 copyright-year-in-future 3131 *

-# Cannot easily be fixed
-file-references-package-build-path *
-
--- a/debian/libgdal-perl.lintian-overrides
+++ b/debian/libgdal-perl.lintian-overrides
 # False positive on: "(319) 369-3131"
 copyright-year-in-future 3131 *

-# Cannot easily be fixed
-file-references-package-build-path *
-
--- a/debian/libgdal20.lintian-overrides
+++ b/debian/libgdal20.lintian-overrides
 # False positive on: {136, "Socialist Republic of Viet Nam"},
 spelling-error-in-binary * Nam Name

+# Part of GRIB abbreviation
+spelling-error-in-binary * Instnt Instant
+
+# False positive, string not included in source
+spelling-error-in-binary * increaS increase
+
 # False positive on: "(319) 369-3131"
 copyright-year-in-future 3131 *

-# Cannot easily be fixed
-file-references-package-build-path *
-
--- a/debian/libgdal20.symbols.common
+++ b/debian/libgdal20.symbols.common
@@ -734,6 +734,7 @@
 GDALRegister_Envisat@Base 1.8.0
 GDALRegister_FAST@Base 1.8.0
 GDALRegister_FIT@Base 1.8.0
+ GDALRegister_FITS@Base 2.4.2
 GDALRegister_FujiBAS@Base 1.8.0
 GDALRegister_GFF@Base 1.8.0
 GDALRegister_GIF@Base 1.8.0

--- a/debian/patches/CVE-2019-17545.patch
+++ b/debian/patches/CVE-2019-17545.patch
+Description: OGRExpatRealloc(): fix double-free when size to allocate is above
+ the default 10MB threshold.
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178.
+ Credit to OSS Fuzz
+Author: Even Rouault <even.rouault@spatialys.com>
+Origin: https://github.com/OSGeo/gdal/commit/8cd2d2eb6327cf782a74dae263ffa6f89f46c93d
+
+--- a/ogr/ogr_expat.cpp
+++ b/ogr/ogr_expat.cpp
+@@ -73,7 +73,6 @@ static void* OGRExpatRealloc( void *ptr,
+     CPLError(CE_Failure, CPLE_OutOfMemory,
+              "Expat tried to realloc %d bytes. File probably corrupted",
+              static_cast<int>(size));
+-    free(ptr);
+     return nullptr;
+ }
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ perl-vendor
 privacy-breach-logo.patch
 privacy-breach-generic.patch
 perl-doxyfile
+CVE-2019-17545.patch
--- a/debian/rules
+++ b/debian/rules
@@ -19,7 +19,7 @@ VENDOR_DERIVES_FROM_UBUNTU ?= $(shell dpkg-vendor --derives-from Ubuntu && echo
 DISTRIBUTION_RELEASE       := $(shell lsb_release -cs)

 ifeq ($(VENDOR_DERIVES_FROM_UBUNTU),yes)
-  ifneq (,$(filter $(DISTRIBUTION_RELEASE),trusty xenial bionic))
+  ifneq (,$(filter $(DISTRIBUTION_RELEASE),xenial bionic))
    export DEB_BUILD_MAINT_OPTIONS=hardening=+all,-pie
  endif
 endif
@@ -113,7 +113,7 @@ override_dh_auto_configure:
 			--with-rename-internal-libgeotiff-symbols=yes \
 			--with-threads \
 			--with-armadillo=yes \
-			--with-cfitsio=no \
+			--with-cfitsio=yes \
 			--with-charls \
 			--with-curl \
 			--with-ecw=no \