--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: wheezy-pu: package gummi/0.6.3-1.2+deb7u1
- From: Daniel Stender <debian@danielstender.com>
- Date: Mon, 30 Nov 2015 14:15:58 +0100
- Message-id: <144888935801.18771.13605209315425526256.reportbug@localhost>
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I propose an update of Gummi also in Wheezy.
The applied patch is a fix of security problem CVE 2015-7758 [1].
The security team marked this issue as minor/no-DSA [2], so I would upload
it to oldstable as proposed update.
Please see the attached debdiff for details of changes. I've build the
package against oldstable [3].
Thanks
Daniel Stender
[1] https://bugs.debian.org/756432
[2] https://security-tracker.debian.org/tracker/source-package/gummi
[3] http://www.danielstender.com/buildlogs/gummi_0.6.3-1.2+deb7u1_amd64-20151130-1409.build
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru gummi-0.6.3/debian/changelog gummi-0.6.3/debian/changelog
--- gummi-0.6.3/debian/changelog 2012-09-30 17:29:02.000000000 +0200
+++ gummi-0.6.3/debian/changelog 2015-11-30 14:07:51.000000000 +0100
@@ -1,3 +1,9 @@
+gummi (0.6.3-1.2+deb7u1) oldstable; urgency=medium
+
+ * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432).
+
+ -- Daniel Stender <debian@danielstender.com> Mon, 30 Nov 2015 14:06:45 +0100
+
gummi (0.6.3-1.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch
--- gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 1970-01-01 01:00:00.000000000 +0100
+++ gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 2015-11-30 14:06:23.000000000 +0100
@@ -0,0 +1,39 @@
+Description: don't generate predictable tmpfile names if filename is given
+ Quick fix for CVE-2015-7758 (#756432).
+Author: Daniel Stender <debian@danielstender.com>
+Bug: https://bugs.debian.org/756432
+Forwarded: https://github.com/alexandervdm/gummi/issues/20
+Last-Update: 2015-11-29
+
+--- a/src/editor.c
++++ b/src/editor.c
+@@ -204,10 +204,9 @@
+ gchar* base = g_path_get_basename (filename);
+ gchar* dir = g_path_get_dirname (filename);
+ ec->filename = g_strdup (filename);
+- ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
+- ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
+- ec->pdffile = g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
+- G_DIR_SEPARATOR, base);
++ ec->basename = g_strdup (ec->fdname);
++ ec->workfile = g_strdup (ec->fdname);
++ ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname);
+ g_free (base);
+ g_free (dir);
+ } else {
+@@ -237,12 +236,9 @@
+ if (ec->filename) {
+ gchar* dirname = g_path_get_dirname (ec->filename);
+ gchar* basename = g_path_get_basename (ec->filename);
+- auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR,
+- G_DIR_SEPARATOR, basename);
+- logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR,
+- G_DIR_SEPARATOR, basename);
+- syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR,
+- G_DIR_SEPARATOR, basename);
++ auxfile = g_strdup_printf ("%s.aux", ec->fdname);
++ logfile = g_strdup_printf ("%s.log", ec->fdname);
++ syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname);
+ g_free (basename);
+ g_free (dirname);
+ } else {
diff -Nru gummi-0.6.3/debian/patches/series gummi-0.6.3/debian/patches/series
--- gummi-0.6.3/debian/patches/series 2012-09-30 17:24:55.000000000 +0200
+++ gummi-0.6.3/debian/patches/series 2015-11-30 14:06:41.000000000 +0100
@@ -1,2 +1,3 @@
libgthread-2.0_link.patch
fix_fd_leak.patch
+no-predictable-tmpfiles.patch
--- End Message ---