Bug#775342: marked as done (unblock: texlive-bin/2014.20140926.35254-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 14 Jan 2015 17:55:24 +0100
with message-id <54B69F7C.5040008@thykier.net>
and subject line Re: Bug#775342: unblock: texlive-bin/2014.20140926.35254-5
has caused the Debian Bug report #775342,
regarding unblock: texlive-bin/2014.20140926.35254-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
775342: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775342
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: texlive-bin/2014.20140926.35254-5
• From: Norbert Preining <preining@logic.at>
• Date: Wed, 14 Jan 2015 22:33:57 +0900
• Message-id: <[🔎] 20150114133357.8461.51684.reportbug@wienerschnitzel>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release managers,

I would like to ask for an unblock of the source package
	texlive-bin
for version
	2014.20140926.35254-5

The only change is a fix for insecure temp file creation in mktexlsr,
see #775139.

The functional changes in the source is explained in the following 
patch extract:
	-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
	+treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
which means, instead of using a guess-able file name, use mktemp
to create a temporary file. 

Due to Jessie RC policy, "any programs and scripts that create
files in /tmp or other world writable directories must use a mechanism
which fails if the file already exists" [1], this is a required or
at least requested fix for Jessie.

Full debdiff attached.

Thanks a lot and all the best

Norbert

[1] https://release.debian.org/jessie/rc_policy.txt

unblock texlive-bin/2014.20140926.35254-5

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-rc4 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru texlive-bin-2014.20140926.35254/debian/changelog texlive-bin-2014.20140926.35254/debian/changelog
--- texlive-bin-2014.20140926.35254/debian/changelog	2014-12-24 09:19:43.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/changelog	2015-01-13 07:32:25.000000000 +0900
@@ -1,3 +1,9 @@
+texlive-bin (2014.20140926.35254-5) unstable; urgency=high
+
+  * fix insecure temp file creation in mktexlsr (Closes: #775139)
+
+ -- Norbert Preining <preining@debian.org>  Tue, 13 Jan 2015 07:32:13 +0900
+
 texlive-bin (2014.20140926.35254-4) unstable; urgency=high
 
   * cherrypick security fix for libpng buffer overflow (Closes: #773824)
diff -Nru texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp
--- texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp	1970-01-01 09:00:00.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/patches/mktexlsr-use-mktemp	2015-01-13 07:32:25.000000000 +0900
@@ -0,0 +1,16 @@
+Don't use unsafe temp filename, use mktemp
+---
+ texk/kpathsea/mktexlsr |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- texlive-bin.orig/texk/kpathsea/mktexlsr
++++ texlive-bin/texk/kpathsea/mktexlsr
+@@ -73,7 +73,7 @@
+ dry_run=false
+ trees=
+ 
+-treefile="${TMPDIR-/tmp}/mktexlsrtrees$$.tmp"
++treefile=`mktemp --tmpdir mktexlsrtrees.XXXXXXXXXX` || exit 1
+ trap 'cd /; rm -f $treefile; test -z "$db_dir_tmp" || rm -rf "$db_dir_tmp"; 
+       exit' 0 1 2 3 7 13 15
+ 
diff -Nru texlive-bin-2014.20140926.35254/debian/patches/series texlive-bin-2014.20140926.35254/debian/patches/series
--- texlive-bin-2014.20140926.35254/debian/patches/series	2014-12-24 09:19:43.000000000 +0900
+++ texlive-bin-2014.20140926.35254/debian/patches/series	2015-01-13 07:32:25.000000000 +0900
@@ -19,3 +19,4 @@
 upstream-svn35516-dvipdfmx-fix-crash-missing-fontmap
 upstream-svn35518-mpost-fontmap-warnings
 cve-libpng-heap-overflow-fix
+mktexlsr-use-mktemp

--- End Message ---

--- Begin Message ---

• To: Norbert Preining <preining@logic.at>, 775342-done@bugs.debian.org
• Subject: Re: Bug#775342: unblock: texlive-bin/2014.20140926.35254-5
• From: Niels Thykier <niels@thykier.net>
• Date: Wed, 14 Jan 2015 17:55:24 +0100
• Message-id: <54B69F7C.5040008@thykier.net>
• In-reply-to: <[🔎] 20150114133357.8461.51684.reportbug@wienerschnitzel>
• References: <[🔎] 20150114133357.8461.51684.reportbug@wienerschnitzel>

On 2015-01-14 14:33, Norbert Preining wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear release managers,
> 
> I would like to ask for an unblock of the source package
> 	texlive-bin
> for version
> 	2014.20140926.35254-5
> 
> The only change is a fix for insecure temp file creation in mktexlsr,
> see #775139.
> 
> [...]
> 
> Full debdiff attached.
> 
> Thanks a lot and all the best
> 
> Norbert
> 
> [1] https://release.debian.org/jessie/rc_policy.txt
> 
> unblock texlive-bin/2014.20140926.35254-5
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---