[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#788064: marked as done (wheezy-pu: package gamera/3.3.3-2)

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #788064,
regarding wheezy-pu: package gamera/3.3.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
788064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788064
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hello release team,

I propose an update of gamera in wheezy, 3.3.3-2+deb7u1.

The new patch is a fix of CVE-2014-1937 [1].

Please see the attached debdiff for details.

The security issue has been considered as being minor/non-dsa,
therefore I would like to upload this as proposed update.

The related bug #737324 [2] have been closed already in Sid by gamera/3.4.1-1.

I've build the new package with sbuild against wheezy, please
see the buildlog here [3].

Thanks & greetings,
Daniel Stender

[1]: https://security-tracker.debian.org/tracker/CVE-2014-1937

[2]: https://bugs.debian.org/737324
     python-gamera: CVE-2014-1937: insecure use of /tmp

[3]: http://www.danielstender.com/buildlogs/gamera_3.3.3-2+deb7u1_amd64-20150608-0933.build

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru gamera-3.3.3/debian/changelog gamera-3.3.3/debian/changelog
--- gamera-3.3.3/debian/changelog	2015-06-07 10:02:47.000000000 +0200
+++ gamera-3.3.3/debian/changelog	2012-07-04 16:50:40.000000000 +0200
@@ -1,10 +1,3 @@
-gamera (3.3.3-2+deb7u1) oldstable; urgency=medium
-
-  * add avoid_mktexmp.diff to fix CVE-2014-1937 (related bug #737324
-    was closed in Sid by 3.4.1-1).
-
- -- Daniel Stender <debian@danielstender.com>  Sun, 07 Jun 2015 10:00:40 +0200
-
 gamera (3.3.3-2) unstable; urgency=low
 
   * DEP-8 tests: use $ADTTMP.
diff -Nru gamera-3.3.3/debian/patches/avoid_mktemp.diff gamera-3.3.3/debian/patches/avoid_mktemp.diff
--- gamera-3.3.3/debian/patches/avoid_mktemp.diff	2015-06-07 10:00:10.000000000 +0200
+++ gamera-3.3.3/debian/patches/avoid_mktemp.diff	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-Description: avoid use of insecure tmpfile.mktemp()
- fix of CVE-2014-1937
-Author: Daniel Stender <debian@danielstender.com> 
-Bug: https://bugs.debian.org/737324
-
---- a/gamera/io.py
-+++ b/gamera/io.py
-@@ -944,7 +944,7 @@
-         raise ValueError, "type can be 'i', 'f' or 'd' in load()"
- 
-     ## STRIP OUT % AND # LINES
--    tmpname = tempfile.mktemp()
-+    tmpname = tempfile.NamedTemporaryFile(delete=False).name
-     if sys.platform == 'win32':
-         # NT VERSION OF GREP DOESN'T DO THE STRIPPING ... SIGH
-         cmd = "grep.exe -v \'%\' "+fname+" > "+tmpname
diff -Nru gamera-3.3.3/debian/patches/series gamera-3.3.3/debian/patches/series
--- gamera-3.3.3/debian/patches/series	2015-06-07 09:55:48.000000000 +0200
+++ gamera-3.3.3/debian/patches/series	2012-05-26 21:19:52.000000000 +0200
@@ -9,4 +9,3 @@
 nosetests.diff
 trap-errors-from-pclose.diff
 pil-import.diff
-avoid_mktemp.diff

--- End Message ---
--- Begin Message --- 
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam

--- End Message ---
Reply to: