--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package gamera/3.3.3-2
- From: Daniel Stender <debian@danielstender.com>
- Date: Mon, 08 Jun 2015 11:07:10 +0200
- Message-id: <20150608090710.29190.61797.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hello release team,
I propose an update of gamera in wheezy, 3.3.3-2+deb7u1.
The new patch is a fix of CVE-2014-1937 [1].
Please see the attached debdiff for details.
The security issue has been considered as being minor/non-dsa,
therefore I would like to upload this as proposed update.
The related bug #737324 [2] have been closed already in Sid by gamera/3.4.1-1.
I've build the new package with sbuild against wheezy, please
see the buildlog here [3].
Thanks & greetings,
Daniel Stender
[1]: https://security-tracker.debian.org/tracker/CVE-2014-1937
[2]: https://bugs.debian.org/737324
python-gamera: CVE-2014-1937: insecure use of /tmp
[3]: http://www.danielstender.com/buildlogs/gamera_3.3.3-2+deb7u1_amd64-20150608-0933.build
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru gamera-3.3.3/debian/changelog gamera-3.3.3/debian/changelog
--- gamera-3.3.3/debian/changelog 2015-06-07 10:02:47.000000000 +0200
+++ gamera-3.3.3/debian/changelog 2012-07-04 16:50:40.000000000 +0200
@@ -1,10 +1,3 @@
-gamera (3.3.3-2+deb7u1) oldstable; urgency=medium
-
- * add avoid_mktexmp.diff to fix CVE-2014-1937 (related bug #737324
- was closed in Sid by 3.4.1-1).
-
- -- Daniel Stender <debian@danielstender.com> Sun, 07 Jun 2015 10:00:40 +0200
-
gamera (3.3.3-2) unstable; urgency=low
* DEP-8 tests: use $ADTTMP.
diff -Nru gamera-3.3.3/debian/patches/avoid_mktemp.diff gamera-3.3.3/debian/patches/avoid_mktemp.diff
--- gamera-3.3.3/debian/patches/avoid_mktemp.diff 2015-06-07 10:00:10.000000000 +0200
+++ gamera-3.3.3/debian/patches/avoid_mktemp.diff 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-Description: avoid use of insecure tmpfile.mktemp()
- fix of CVE-2014-1937
-Author: Daniel Stender <debian@danielstender.com>
-Bug: https://bugs.debian.org/737324
-
---- a/gamera/io.py
-+++ b/gamera/io.py
-@@ -944,7 +944,7 @@
- raise ValueError, "type can be 'i', 'f' or 'd' in load()"
-
- ## STRIP OUT % AND # LINES
-- tmpname = tempfile.mktemp()
-+ tmpname = tempfile.NamedTemporaryFile(delete=False).name
- if sys.platform == 'win32':
- # NT VERSION OF GREP DOESN'T DO THE STRIPPING ... SIGH
- cmd = "grep.exe -v \'%\' "+fname+" > "+tmpname
diff -Nru gamera-3.3.3/debian/patches/series gamera-3.3.3/debian/patches/series
--- gamera-3.3.3/debian/patches/series 2015-06-07 09:55:48.000000000 +0200
+++ gamera-3.3.3/debian/patches/series 2012-05-26 21:19:52.000000000 +0200
@@ -9,4 +9,3 @@
nosetests.diff
trap-errors-from-pclose.diff
pil-import.diff
-avoid_mktemp.diff
--- End Message ---