Bug#788064: wheezy-pu: package gamera/3.3.3-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#788064: wheezy-pu: package gamera/3.3.3-2
From: Daniel Stender <debian@danielstender.com>
Date: Mon, 08 Jun 2015 11:07:10 +0200
Message-id: <[🔎] 20150608090710.29190.61797.reportbug@localhost>
Reply-to: Daniel Stender <debian@danielstender.com>, 788064@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team,

I propose an update of gamera in wheezy, 3.3.3-2+deb7u1.

The new patch is a fix of CVE-2014-1937 [1].

Please see the attached debdiff for details.

The security issue has been considered as being minor/non-dsa,
therefore I would like to upload this as proposed update.

The related bug #737324 [2] have been closed already in Sid by gamera/3.4.1-1.

I've build the new package with sbuild against wheezy, please
see the buildlog here [3].

Thanks & greetings,
Daniel Stender

[1]: https://security-tracker.debian.org/tracker/CVE-2014-1937

[2]: https://bugs.debian.org/737324
     python-gamera: CVE-2014-1937: insecure use of /tmp

[3]: http://www.danielstender.com/buildlogs/gamera_3.3.3-2+deb7u1_amd64-20150608-0933.build

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru gamera-3.3.3/debian/changelog gamera-3.3.3/debian/changelog
--- gamera-3.3.3/debian/changelog	2015-06-07 10:02:47.000000000 +0200
+++ gamera-3.3.3/debian/changelog	2012-07-04 16:50:40.000000000 +0200
@@ -1,10 +1,3 @@
-gamera (3.3.3-2+deb7u1) oldstable; urgency=medium
-
-  * add avoid_mktexmp.diff to fix CVE-2014-1937 (related bug #737324
-    was closed in Sid by 3.4.1-1).
-
- -- Daniel Stender <debian@danielstender.com>  Sun, 07 Jun 2015 10:00:40 +0200
-
 gamera (3.3.3-2) unstable; urgency=low
 
   * DEP-8 tests: use $ADTTMP.
diff -Nru gamera-3.3.3/debian/patches/avoid_mktemp.diff gamera-3.3.3/debian/patches/avoid_mktemp.diff
--- gamera-3.3.3/debian/patches/avoid_mktemp.diff	2015-06-07 10:00:10.000000000 +0200
+++ gamera-3.3.3/debian/patches/avoid_mktemp.diff	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-Description: avoid use of insecure tmpfile.mktemp()
- fix of CVE-2014-1937
-Author: Daniel Stender <debian@danielstender.com> 
-Bug: https://bugs.debian.org/737324
-
---- a/gamera/io.py
-+++ b/gamera/io.py
-@@ -944,7 +944,7 @@
-         raise ValueError, "type can be 'i', 'f' or 'd' in load()"
- 
-     ## STRIP OUT % AND # LINES
--    tmpname = tempfile.mktemp()
-+    tmpname = tempfile.NamedTemporaryFile(delete=False).name
-     if sys.platform == 'win32':
-         # NT VERSION OF GREP DOESN'T DO THE STRIPPING ... SIGH
-         cmd = "grep.exe -v \'%\' "+fname+" > "+tmpname
diff -Nru gamera-3.3.3/debian/patches/series gamera-3.3.3/debian/patches/series
--- gamera-3.3.3/debian/patches/series	2015-06-07 09:55:48.000000000 +0200
+++ gamera-3.3.3/debian/patches/series	2012-05-26 21:19:52.000000000 +0200
@@ -9,4 +9,3 @@
 nosetests.diff
 trap-errors-from-pclose.diff
 pil-import.diff
-avoid_mktemp.diff

Reply to:

Follow-Ups:
- Processed: Re: Bug#788064: wheezy-pu: package gamera/3.3.3-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#788064: wheezy-pu: package gamera/3.3.3-2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#788064: wheezy-pu: package gamera/3.3.3-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#788054: jessie-pu: package prosody/0.9.7-2+deb8u1
Next by Date: Bug#787299: jessie-pu: package dovecot/1:2.2.13-12~deb8u1
Previous by thread: Processed: Re: Bug#788054: jessie-pu: package prosody/0.9.7-2+deb8u1
Next by thread: Processed: Re: Bug#788064: wheezy-pu: package gamera/3.3.3-2
Index(es):
- Date
- Thread