Bug#908237: marked as done (libnumbertext-tools: "spellout" looks for data in the wrong place)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 08 Sep 2018 12:03:59 +0000
with message-id <E1fyby3-000Fto-Pc@fasolo.debian.org>
and subject line Bug#908237: fixed in libnumbertext 1.0-3
has caused the Debian Bug report #908237,
regarding libnumbertext-tools: "spellout" looks for data in the wrong place
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
908237: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908237
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libnumbertext-tools: "spellout" is not in $PATH and looks for data in the wrong places
• From: Stephane Chazelas <stephane.chazelas@gmail.com>
• Date: Fri, 7 Sep 2018 17:47:54 +0100
• Message-id: <[🔎] 20180907164754.lclujvgwrq5iv7yg@chaz.gmail.com>

Package: libnumbertext-tools
Version: 1.0-2
Severity: normal

$ dpkg -L libnumbertext-tools
[...]
/usr/lib/libnumbertext/spellout

The tool is meant to be invoked by the end user, but is not
located in a directory in $PATH. I would expect it to go in
/usr/bin (and have a corresponding man page in
/usr/share/man/man1).

Also:

$ /usr/lib/libnumbertext/spellout -l en 101
spellout: missing language module

Using "strace", we see:

$ strace -e file /usr/lib/libnumbertext/spellout -l en 101
[...]
openat(AT_FDCWD, "en.sor", O_RDONLY)    = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "en.sor", O_RDONLY)    = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/numbertext/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/numbertext/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "data/en.sor", O_RDONLY) = -1 ENOENT (No such file or directory)

It looks first in "en.sor" in the current directory, which is a
security vulnerability (for instance when run in /tmp where some
attacker could have planted a malicious "en.sor" file).

And then in "/usr/share/numbertext" while "libnumbertext-data"
installs those files in "/usr/share/libnumbertext" instead.

A work around is to run:

$ /usr/lib/libnumbertext/spellout -l /usr/share/libnumbertext/en 101
one hundred one

Though it doesn't work for en-GB for which you'd need:

$ (cd /usr/share/libnumbertext && /usr/lib/libnumbertext/spellout -l en-GB 101)
one hundred and one

(but again looking in the current directory is a bad idea, so I'd expect that
one to stop working in a future version).

$ /usr/lib/libnumbertext/spellout -l /usr/share/libnumbertext/en-GB 101
one hundred one

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libnumbertext-tools depends on:
ii  libc6                2.27-5
ii  libgcc1              1:8.2.0-4
ii  libnumbertext-1.0-0  1.0-2
ii  libstdc++6           8.2.0-4

libnumbertext-tools recommends no packages.

libnumbertext-tools suggests no packages.

-- debconf-show failed

--- End Message ---

--- Begin Message ---

• To: 908237-close@bugs.debian.org
• Subject: Bug#908237: fixed in libnumbertext 1.0-3
• From: Rene Engelhard <rene@debian.org>
• Date: Sat, 08 Sep 2018 12:03:59 +0000
• Message-id: <E1fyby3-000Fto-Pc@fasolo.debian.org>

Source: libnumbertext
Source-Version: 1.0-3

We believe that the bug you reported is fixed in the latest version of
libnumbertext, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 908237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rene Engelhard <rene@debian.org> (supplier of updated libnumbertext package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 08 Sep 2018 11:22:31 +0000
Source: libnumbertext
Binary: libnumbertext-dev libnumbertext-1.0-0 libnumbertext-data libnumbertext-tools libnumbertext-java libreoffice-numbertext
Architecture: source
Version: 1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian LibreOffice Maintainers <debian-openoffice@lists.debian.org>
Changed-By: Rene Engelhard <rene@debian.org>
Description:
 libnumbertext-1.0-0 - Number to number name and money text conversion library
 libnumbertext-data - Number to number name and money text conversion library -- data f
 libnumbertext-dev - Number to number name and money text conversion library -- develo
 libnumbertext-java - Number to number name and money text conversion library for Java
 libnumbertext-tools - Number to number name and money text conversion library -- spelle
 libreoffice-numbertext - number to number name and currency name conversion LO Calc Add-In
Closes: 908237
Changes:
 libnumbertext (1.0-3) unstable; urgency=medium
 .
   * fix spellout.cxx to use /usr/share/libnumbertext, not try
     /usr/share/numbertext (closes: #908237)
Checksums-Sha1:
 e3a1e1f216764d43f5e6ffc38928379b2bb46d05 2396 libnumbertext_1.0-3.dsc
 e922249c1e8f8d62fe330a80f36dcb749c6e08fa 11632 libnumbertext_1.0-3.debian.tar.xz
 b6769b485320c767027e6f33e13fe969915cbb70 11544 libnumbertext_1.0-3_source.buildinfo
Checksums-Sha256:
 31c1b1d49a5d09aebd3645d4f14d4ba77926994d20977f752c9714bafc8dc61a 2396 libnumbertext_1.0-3.dsc
 eb4cf79735444da111a7fbd6b753e458f1ad50367b046254b1cbe31130be2d6a 11632 libnumbertext_1.0-3.debian.tar.xz
 54704592321a273c42dcaf55134b155d99d7e763707c552b9242c3c4718dbab6 11544 libnumbertext_1.0-3_source.buildinfo
Files:
 7dcf712ec835dc185ebe4b7a17154f27 2396 libs optional libnumbertext_1.0-3.dsc
 7452a19af0e450f4b7423e9f53873411 11632 libs optional libnumbertext_1.0-3.debian.tar.xz
 3de7388dcc0d016020513a78b60114df 11544 libs optional libnumbertext_1.0-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE4S3qRnUGcM+pYIAdCqBFcdA+PnAFAluTtwYACgkQCqBFcdA+
PnBstRAA63xeyt/yYwDe+z6472/s1FRZjTFMrgjZEiftLJaW+dmAu/9OpiqjlCFZ
MUktzTo78WxNOAke93XsmeshDqRiSNwimtk7ekclPXtRIPZFCu2HhVITZ0AlVsce
M7XnXlDhyQO2gVz10O4d4CE8/5f5SmM7b5m6zxNIQpAwgL3og7Kw7kYjQDIm88au
RgOlXaUOtrTjOH3lxqQgY0Yky8l8ux/GzB5X6n+VLtd8VsgXV+dQ/LAT9BoauCBz
ayVqfPOyqG7LxFZIM6s5wA5wkCYbBiKoc0cOAZqb0RQl/Iwuvz+iHgCSzXUTBRyc
sCVQEqe7s2fiHM/1fxi2grqybwvNAs/cIB+CATVj4FKL6N7jidoZZr9z40KphIGA
Ttb4NGtVGMliISn/coNl2PjgDs5f9ro7dig8ZDtxmuHC3lWH/cSfBdWzvqvbw2/U
cRChvo20mqWMHSuKLGRRpFxQsewzbugrODZlmteE3UcndQc8AAXTkavcZzHSKFN1
QYYgPpYKiSlrmRBYXrdaeJ9uHjQeEAceGDDpi7FVxbgQzMvt3kOe78Zk7JcIWx3u
jE/Lc5JVc163c6WR0HSWt7RyOFrpO4r9tpb0DINEYvsc4kvW9Zj/JUb9nK0vhW6u
lp2bnyF54fm2pX+SOJ+S1YbE/+lyUjC3DPN72OCxtUWsfVEAGOc=
=v1OO
-----END PGP SIGNATURE-----

--- End Message ---