Bug#812881: wheezy-pu: package gummi/0.6.3-1.2+deb7u2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
I hereby propose another update of Gummi for Oldstable.
The new package fixes #812577 [0]: the patch no-predictable-tmpfiles.patch
including in 0.6.3-1.2+deb7u1 fixed CVE-2015-7758 successfully, but has the
flaw that temporary include paths for images etc. in the tex documents
couldn't be used, but must be absolute (because a workfile [.tex.swp] in the
project path is missing).
In the meanwhile upstream released a fix for CVE-2015-7758 which elegantly
uses a XDG cache dir for the temprary files to solve the problem [1].
My new patch which replaces the old one is based on this:
<patch>
- --- a/src/constants.h
+++ b/src/constants.h
@@ -59,7 +59,7 @@
#define C_CMDSEP "&&"
#define C_TEXSEC ""
#else
- - #define C_TMPDIR g_get_tmp_dir()
+ #define C_TMPDIR g_build_path(G_DIR_SEPARATOR_S, g_get_user_cache_dir(), "gummi", NULL)
#define C_CMDSEP ";"
#define C_TEXSEC "env openout_any=a"
#endif
- --- a/src/editor.c
+++ b/src/editor.c
@@ -180,6 +180,12 @@
*/
void editor_fileinfo_update (GuEditor* ec, const gchar* filename) {
+ // directory should exist, but if not create ~/.cache/gummi:
+ if (!g_file_test (C_TMPDIR, G_FILE_TEST_IS_DIR)) {
+ slog (L_WARNING, ".cache directory does not exist, creating..\n");
+ g_mkdir_with_parents (C_TMPDIR, DIR_PERMS);
+ }
+
if (ec->workfd != -1)
editor_fileinfo_cleanup (ec);
</patch>
I've now prepared 0.6.3-1.2+deb7u2 which uses this fix. I've tested it with a document which
uses a relative import path:
<gummilog>
[Info] configuration file: /home/aham/.config/gummi/gummi.cfg
[Info] Texlive 2015 was found installed..
[Info] Typesetter detected: pdfTeX 3.14159265-2.6-1.40.16 (TeX Live 2015/Debian)
[Info] Typesetter detected: XeTeX 3.14159265-2.6-0.99992 (TeX Live 2015/Debian)
[Info] Typesetter detected: Latexmk 4.41
[Info] snippets : /home/aham/.config/gummi/snippets.cfg
[Info] using libpoppler 0.38.0
[Info] Typesetter pdflatex configured.
[Info] setting styles scheme to classic
[Info] setting font to Monospace 10
[Info]
[Info] Environment created for:
[Info] TEX: relative-import-test.tex
[Info] TMP: ./.relative-import-test.tex.swp
[Info] PDF: /home/aham/.cache/gummi/.relative-import-test.tex.pdf
[Info] loading relative-import-test.tex ...
</gummilog>
<outline>
$ ls -la ~/.cache/gummi
- -rw-r--r-- 1 aham aham 353 Jan 27 15:22 .relative-import-test.tex.aux
- -rw-r--r-- 1 aham aham 7762 Jan 27 15:22 .relative-import-test.tex.log
- -rw-r--r-- 1 aham aham 203000 Jan 27 15:22 .relative-import-test.tex.pdf
- -rw-r--r-- 1 aham aham 5893 Jan 27 15:22 .relative-import-test.tex.synctex.gz
</outline>
<texlog>
This is pdfTeX, Version 3.14159265-2.6-1.40.16 (TeX Live 2015/Debian) (preloaded format=pdflatex)
\write18 enabled.
entering extended mode
(./.relative-import-test.tex.swp
LaTeX2e <2015/10/01> patch level 2
Babel <3.9n> and hyphenation patterns for 19 languages loaded.
(/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size11.clo))
(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphicx.sty
(/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty)
(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphics.sty
(/usr/share/texlive/texmf-dist/tex/latex/graphics/trig.sty)
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/graphics.cfg)
(/usr/share/texlive/texmf-dist/tex/latex/pdftex-def/pdftex.def
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/infwarerr.sty)
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ltxcmds.sty))))
No file .relative-import-test.tex.aux.
(/usr/share/texlive/texmf-dist/tex/context/base/supp-pdf.mkii
[Loading MPS to PDF converter (version 2006.09.02).]
) (/usr/share/texlive/texmf-dist/tex/generic/oberdiek/pdftexcmds.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ifluatex.sty)
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ifpdf.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/epstopdf-base.sty
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/grfext.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvdefinekeys.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/kvoptions.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvsetkeys.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/etexcmds.sty)))
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg))
<figures/vim11.png, id=1, 96.36pt x 30.5943pt> <use figures/vim11.png> [1{/var/
lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <./figures/vim11.png>] [2]
(/home/aham/.cache/gummi/.relative-import-test.tex.aux)
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
)</usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmbx12.pfb></us
r/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr/share
/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr12.pfb></usr/share/texliv
e/texmf-dist/fonts/type1/public/amsfonts/cm/cmr6.pfb></usr/share/texlive/texmf-
dist/fonts/type1/public/amsfonts/cm/cmr8.pfb></usr/share/texlive/texmf-dist/fon
ts/type1/public/amsfonts/cm/cmr9.pfb></usr/share/texlive/texmf-dist/fonts/type1
/public/amsfonts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/publi
c/amsfonts/cm/cmti10.pfb>
Output written on /home/aham/.cache/gummi/.relative-import-test.tex.pdf (2 page
s, 203000 bytes).
SyncTeX written on /home/aham/.cache/gummi/.relative-import-test.tex.synctex.gz.
Transcript written on /home/aham/.cache/gummi/.relative-import-test.tex.log.
</texlog>
Please see the attached diff for changes between deb7u1 and deb7u2. I've build
against Oldstable with Sbuild [2]. 0.6.3-1.2+deb7u1 is currently pending [3], I would
guess it just could be replaced in the pending state?
Thanks,
DS
[0] https://bugs.debian.org/812577 (gummi: relative import paths couldn't be used)
[1] https://github.com/alexandervdm/gummi/commit/4ad6486
[2] http://www.danielstender.com/buildlogs/gummi_0.6.3-1.2+deb7u2_amd64-20160127-1502.build
[3] https://bugs.debian.org/806724 (wheezy-pu: package gummi/0.6.3-1.2+deb7u1)
- -- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
- --
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWqNkOAAoJEBXgmvTfUYLIIpQQAKhttjBceHJYmPtd9Pb0QErL
lGWlg2kbwKZcPv/HI9Aq+pRBLp2u3P2KrG0vkxsFXePx+mXlg2BKukLeJJP7N5w1
aJyne6op//UqqdEOPENLeUH/tUAtfvOWdrN8okI96idrRl6kHVTJmXhyTdyEC9S+
pVET6hPLjCsmBnkQrdD7BfEO/MWQlGPNwTCX6DBJr0IOEdHLkM4yIDgP0PZeXtjJ
00jh47uItCx8nLvp/jwEWA2pWnAqLqYyENHDgMrJIpgAlcp76GFP4tgmEZFqhNQk
7xH+EK3GLGADp1TjNiAXAkR729qaMj52KuEtbL0dAF31afKt1vsKWewChrU8CsXv
EmZsiHPBSDIKAp1TaEAB3ASrbpnCTYZohgNIDHO5sD/KNno+QAklMseUjx+iC7sZ
qnuSITkpxdR5arUhd8n1I0vdYP+qg5sjNkf7bGPvwyjbJPLdfS88lSYMMC+rq4uZ
DxrwrNih9tU5OjfN2b0Rk/yGWOCAUtf+/Rv6CraZGJ7MaYXr4giyobsJVr53okNs
STAvMnklgLMrcoNjM+syC97lWNwp48/WNNGselBLNdQcuU4FZWG4MO7SMnQww50O
MZpXoMBUOAw6fioo2YnlL2OzD//ixx0LxibBcVMDcdwRVBO3Bh+JSuQAaFlHRsPF
GFCP1ylVWavDy9xFNfbS
=iom3
-----END PGP SIGNATURE-----
diff -Nru gummi-0.6.3/debian/changelog gummi-0.6.3/debian/changelog
--- gummi-0.6.3/debian/changelog 2015-11-30 14:07:51.000000000 +0100
+++ gummi-0.6.3/debian/changelog 2016-01-27 15:01:56.000000000 +0100
@@ -1,3 +1,9 @@
+gummi (0.6.3-1.2+deb7u2) oldstable; urgency=medium
+
+ * no-predictable-tmpfiles.patch: use upstream fix (Closes: #812577).
+
+ -- Daniel Stender <debian@danielstender.com> Wed, 27 Jan 2016 15:00:39 +0100
+
gummi (0.6.3-1.2+deb7u1) oldstable; urgency=medium
* Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432).
diff -Nru gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch
--- gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 2015-11-30 14:06:23.000000000 +0100
+++ gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 2016-01-27 14:59:39.000000000 +0100
@@ -1,39 +1,33 @@
-Description: don't generate predictable tmpfile names if filename is given
- Quick fix for CVE-2015-7758 (#756432).
-Author: Daniel Stender <debian@danielstender.com>
+Description: Use XDG cache dir for tmp files rather than TMPDIR.
+ Fix of CVE-2015-7758 (#756432).
+Origin: https://github.com/alexandervdm/gummi/commit/4ad6486
Bug: https://bugs.debian.org/756432
-Forwarded: https://github.com/alexandervdm/gummi/issues/20
-Last-Update: 2015-11-29
+Last-Update: 2016-01-27
+
+--- a/src/constants.h
++++ b/src/constants.h
+@@ -59,7 +59,7 @@
+ #define C_CMDSEP "&&"
+ #define C_TEXSEC ""
+ #else
+- #define C_TMPDIR g_get_tmp_dir()
++ #define C_TMPDIR g_build_path(G_DIR_SEPARATOR_S, g_get_user_cache_dir(), "gummi", NULL)
+ #define C_CMDSEP ";"
+ #define C_TEXSEC "env openout_any=a"
+ #endif
--- a/src/editor.c
+++ b/src/editor.c
-@@ -204,10 +204,9 @@
- gchar* base = g_path_get_basename (filename);
- gchar* dir = g_path_get_dirname (filename);
- ec->filename = g_strdup (filename);
-- ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
-- ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
-- ec->pdffile = g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
-- G_DIR_SEPARATOR, base);
-+ ec->basename = g_strdup (ec->fdname);
-+ ec->workfile = g_strdup (ec->fdname);
-+ ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname);
- g_free (base);
- g_free (dir);
- } else {
-@@ -237,12 +236,9 @@
- if (ec->filename) {
- gchar* dirname = g_path_get_dirname (ec->filename);
- gchar* basename = g_path_get_basename (ec->filename);
-- auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR,
-- G_DIR_SEPARATOR, basename);
-- logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR,
-- G_DIR_SEPARATOR, basename);
-- syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR,
-- G_DIR_SEPARATOR, basename);
-+ auxfile = g_strdup_printf ("%s.aux", ec->fdname);
-+ logfile = g_strdup_printf ("%s.log", ec->fdname);
-+ syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname);
- g_free (basename);
- g_free (dirname);
- } else {
+@@ -180,6 +180,12 @@
+ */
+ void editor_fileinfo_update (GuEditor* ec, const gchar* filename) {
+
++ // directory should exist, but if not create ~/.cache/gummi:
++ if (!g_file_test (C_TMPDIR, G_FILE_TEST_IS_DIR)) {
++ slog (L_WARNING, ".cache directory does not exist, creating..\n");
++ g_mkdir_with_parents (C_TMPDIR, DIR_PERMS);
++ }
++
+ if (ec->workfd != -1)
+ editor_fileinfo_cleanup (ec);
+
Reply to: