Bug#812881: marked as done (wheezy-pu: package gummi/0.6.3-1.2+deb7u2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 02 Apr 2016 14:22:42 +0100
with message-id <1459603362.2441.217.camel@adam-barratt.org.uk>
and subject line Fix included in oldstable
has caused the Debian Bug report #812881,
regarding wheezy-pu: package gummi/0.6.3-1.2+deb7u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
812881: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812881
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: wheezy-pu: package gummi/0.6.3-1.2+deb7u2
• From: Daniel Stender <debian@danielstender.com>
• Date: Wed, 27 Jan 2016 15:49:50 +0100
• Message-id: <56A8D90E.3000809@danielstender.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

I hereby propose another update of Gummi for Oldstable.

The new package fixes #812577 [0]: the patch no-predictable-tmpfiles.patch
including in 0.6.3-1.2+deb7u1 fixed CVE-2015-7758 successfully, but has the
flaw that temporary include paths for images etc. in the tex documents
couldn't be used, but must be absolute (because a workfile [.tex.swp] in the
project path is missing).

In the meanwhile upstream released a fix for CVE-2015-7758 which elegantly
uses a XDG cache dir for the temprary files to solve the problem [1].

My new patch which replaces the old one is based on this:

<patch>
- --- a/src/constants.h
+++ b/src/constants.h
@@ -59,7 +59,7 @@
     #define C_CMDSEP "&&"
     #define C_TEXSEC ""
 #else
- -    #define C_TMPDIR g_get_tmp_dir()
+    #define C_TMPDIR g_build_path(G_DIR_SEPARATOR_S, g_get_user_cache_dir(), "gummi", NULL)
     #define C_CMDSEP ";"
     #define C_TEXSEC "env openout_any=a"
 #endif

- --- a/src/editor.c
+++ b/src/editor.c
@@ -180,6 +180,12 @@
  */
 void editor_fileinfo_update (GuEditor* ec, const gchar* filename) {
 
+    // directory should exist, but if not create ~/.cache/gummi:
+    if (!g_file_test (C_TMPDIR, G_FILE_TEST_IS_DIR)) {
+            slog (L_WARNING, ".cache directory does not exist, creating..\n");
+            g_mkdir_with_parents (C_TMPDIR, DIR_PERMS);
+    }
+
     if (ec->workfd != -1)
         editor_fileinfo_cleanup (ec);
</patch>

I've now prepared 0.6.3-1.2+deb7u2 which uses this fix. I've tested it with a document which
uses a relative import path:

<gummilog>
[Info] configuration file: /home/aham/.config/gummi/gummi.cfg
[Info] Texlive 2015 was found installed..
[Info] Typesetter detected: pdfTeX 3.14159265-2.6-1.40.16 (TeX Live 2015/Debian)
[Info] Typesetter detected: XeTeX 3.14159265-2.6-0.99992 (TeX Live 2015/Debian)
[Info] Typesetter detected: Latexmk 4.41
[Info] snippets : /home/aham/.config/gummi/snippets.cfg
[Info] using libpoppler 0.38.0
[Info] Typesetter pdflatex configured.
[Info] setting styles scheme to classic
[Info] setting font to Monospace 10
[Info] 
[Info] Environment created for:
[Info] TEX: relative-import-test.tex
[Info] TMP: ./.relative-import-test.tex.swp
[Info] PDF: /home/aham/.cache/gummi/.relative-import-test.tex.pdf
[Info] loading relative-import-test.tex ...
</gummilog>

<outline>
$ ls -la ~/.cache/gummi
- -rw-r--r--  1 aham aham    353 Jan 27 15:22 .relative-import-test.tex.aux
- -rw-r--r--  1 aham aham   7762 Jan 27 15:22 .relative-import-test.tex.log
- -rw-r--r--  1 aham aham 203000 Jan 27 15:22 .relative-import-test.tex.pdf
- -rw-r--r--  1 aham aham   5893 Jan 27 15:22 .relative-import-test.tex.synctex.gz
</outline>

<texlog>
This is pdfTeX, Version 3.14159265-2.6-1.40.16 (TeX Live 2015/Debian) (preloaded format=pdflatex)
 \write18 enabled.
entering extended mode
(./.relative-import-test.tex.swp
LaTeX2e <2015/10/01> patch level 2
Babel <3.9n> and hyphenation patterns for 19 languages loaded.
(/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2014/09/29 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size11.clo))
(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphicx.sty
(/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty)
(/usr/share/texlive/texmf-dist/tex/latex/graphics/graphics.sty
(/usr/share/texlive/texmf-dist/tex/latex/graphics/trig.sty)
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/graphics.cfg)
(/usr/share/texlive/texmf-dist/tex/latex/pdftex-def/pdftex.def
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/infwarerr.sty)
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ltxcmds.sty))))
No file .relative-import-test.tex.aux.
(/usr/share/texlive/texmf-dist/tex/context/base/supp-pdf.mkii
[Loading MPS to PDF converter (version 2006.09.02).]
) (/usr/share/texlive/texmf-dist/tex/generic/oberdiek/pdftexcmds.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ifluatex.sty)
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ifpdf.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/epstopdf-base.sty
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/grfext.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvdefinekeys.sty))
(/usr/share/texlive/texmf-dist/tex/latex/oberdiek/kvoptions.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/kvsetkeys.sty
(/usr/share/texlive/texmf-dist/tex/generic/oberdiek/etexcmds.sty)))
(/usr/share/texlive/texmf-dist/tex/latex/latexconfig/epstopdf-sys.cfg))
<figures/vim11.png, id=1, 96.36pt x 30.5943pt> <use figures/vim11.png> [1{/var/
lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <./figures/vim11.png>] [2]
(/home/aham/.cache/gummi/.relative-import-test.tex.aux)

LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
 )</usr/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmbx12.pfb></us
r/share/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr10.pfb></usr/share
/texlive/texmf-dist/fonts/type1/public/amsfonts/cm/cmr12.pfb></usr/share/texliv
e/texmf-dist/fonts/type1/public/amsfonts/cm/cmr6.pfb></usr/share/texlive/texmf-
dist/fonts/type1/public/amsfonts/cm/cmr8.pfb></usr/share/texlive/texmf-dist/fon
ts/type1/public/amsfonts/cm/cmr9.pfb></usr/share/texlive/texmf-dist/fonts/type1
/public/amsfonts/cm/cmsy10.pfb></usr/share/texlive/texmf-dist/fonts/type1/publi
c/amsfonts/cm/cmti10.pfb>
Output written on /home/aham/.cache/gummi/.relative-import-test.tex.pdf (2 page
s, 203000 bytes).
SyncTeX written on /home/aham/.cache/gummi/.relative-import-test.tex.synctex.gz.
Transcript written on /home/aham/.cache/gummi/.relative-import-test.tex.log.
</texlog>

Please see the attached diff for changes between deb7u1 and deb7u2. I've build
against Oldstable with Sbuild [2]. 0.6.3-1.2+deb7u1 is currently pending [3], I would
guess it just could be replaced in the pending state?

Thanks,
DS

[0] https://bugs.debian.org/812577 (gummi: relative import paths couldn't be used)

[1] https://github.com/alexandervdm/gummi/commit/4ad6486

[2] http://www.danielstender.com/buildlogs/gummi_0.6.3-1.2+deb7u2_amd64-20160127-1502.build

[3] https://bugs.debian.org/806724 (wheezy-pu: package gummi/0.6.3-1.2+deb7u1)

- -- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

- -- 
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWqNkOAAoJEBXgmvTfUYLIIpQQAKhttjBceHJYmPtd9Pb0QErL
lGWlg2kbwKZcPv/HI9Aq+pRBLp2u3P2KrG0vkxsFXePx+mXlg2BKukLeJJP7N5w1
aJyne6op//UqqdEOPENLeUH/tUAtfvOWdrN8okI96idrRl6kHVTJmXhyTdyEC9S+
pVET6hPLjCsmBnkQrdD7BfEO/MWQlGPNwTCX6DBJr0IOEdHLkM4yIDgP0PZeXtjJ
00jh47uItCx8nLvp/jwEWA2pWnAqLqYyENHDgMrJIpgAlcp76GFP4tgmEZFqhNQk
7xH+EK3GLGADp1TjNiAXAkR729qaMj52KuEtbL0dAF31afKt1vsKWewChrU8CsXv
EmZsiHPBSDIKAp1TaEAB3ASrbpnCTYZohgNIDHO5sD/KNno+QAklMseUjx+iC7sZ
qnuSITkpxdR5arUhd8n1I0vdYP+qg5sjNkf7bGPvwyjbJPLdfS88lSYMMC+rq4uZ
DxrwrNih9tU5OjfN2b0Rk/yGWOCAUtf+/Rv6CraZGJ7MaYXr4giyobsJVr53okNs
STAvMnklgLMrcoNjM+syC97lWNwp48/WNNGselBLNdQcuU4FZWG4MO7SMnQww50O
MZpXoMBUOAw6fioo2YnlL2OzD//ixx0LxibBcVMDcdwRVBO3Bh+JSuQAaFlHRsPF
GFCP1ylVWavDy9xFNfbS
=iom3
-----END PGP SIGNATURE-----

diff -Nru gummi-0.6.3/debian/changelog gummi-0.6.3/debian/changelog
--- gummi-0.6.3/debian/changelog	2015-11-30 14:07:51.000000000 +0100
+++ gummi-0.6.3/debian/changelog	2016-01-27 15:01:56.000000000 +0100
@@ -1,3 +1,9 @@
+gummi (0.6.3-1.2+deb7u2) oldstable; urgency=medium
+
+  * no-predictable-tmpfiles.patch: use upstream fix (Closes: #812577).
+
+ -- Daniel Stender <debian@danielstender.com>  Wed, 27 Jan 2016 15:00:39 +0100
+
 gummi (0.6.3-1.2+deb7u1) oldstable; urgency=medium
 
   * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432).
diff -Nru gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch
--- gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch	2015-11-30 14:06:23.000000000 +0100
+++ gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch	2016-01-27 14:59:39.000000000 +0100
@@ -1,39 +1,33 @@
-Description: don't generate predictable tmpfile names if filename is given
- Quick fix for CVE-2015-7758 (#756432).
-Author: Daniel Stender <debian@danielstender.com>
+Description: Use XDG cache dir for tmp files rather than TMPDIR.
+ Fix of CVE-2015-7758 (#756432).
+Origin: https://github.com/alexandervdm/gummi/commit/4ad6486
 Bug: https://bugs.debian.org/756432
-Forwarded: https://github.com/alexandervdm/gummi/issues/20
-Last-Update: 2015-11-29
+Last-Update: 2016-01-27
+
+--- a/src/constants.h
++++ b/src/constants.h
+@@ -59,7 +59,7 @@
+     #define C_CMDSEP "&&"
+     #define C_TEXSEC ""
+ #else
+-    #define C_TMPDIR g_get_tmp_dir()
++    #define C_TMPDIR g_build_path(G_DIR_SEPARATOR_S, g_get_user_cache_dir(), "gummi", NULL)
+     #define C_CMDSEP ";"
+     #define C_TEXSEC "env openout_any=a"
+ #endif
 
 --- a/src/editor.c
 +++ b/src/editor.c
-@@ -204,10 +204,9 @@
-         gchar* base = g_path_get_basename (filename);
-         gchar* dir = g_path_get_dirname (filename);
-         ec->filename = g_strdup (filename);
--        ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
--        ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
--        ec->pdffile =  g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
--                                       G_DIR_SEPARATOR, base);
-+        ec->basename = g_strdup (ec->fdname);
-+        ec->workfile = g_strdup (ec->fdname);
-+        ec->pdffile =  g_strdup_printf ("%s.pdf", ec->fdname);
-         g_free (base);
-         g_free (dir);
-     } else {
-@@ -237,12 +236,9 @@
-     if (ec->filename) {
-         gchar* dirname = g_path_get_dirname (ec->filename);
-         gchar* basename = g_path_get_basename (ec->filename);
--        auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR,
--                G_DIR_SEPARATOR, basename);
--        logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR,
--                G_DIR_SEPARATOR, basename);
--        syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR,
--                G_DIR_SEPARATOR, basename);
-+        auxfile = g_strdup_printf ("%s.aux", ec->fdname);
-+        logfile = g_strdup_printf ("%s.log", ec->fdname);
-+        syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname);
-         g_free (basename);
-         g_free (dirname);
-     } else {
+@@ -180,6 +180,12 @@
+  */
+ void editor_fileinfo_update (GuEditor* ec, const gchar* filename) {
+ 
++    // directory should exist, but if not create ~/.cache/gummi:
++    if (!g_file_test (C_TMPDIR, G_FILE_TEST_IS_DIR)) {
++            slog (L_WARNING, ".cache directory does not exist, creating..\n");
++            g_mkdir_with_parents (C_TMPDIR, DIR_PERMS);
++    }
++
+     if (ec->workfd != -1)
+         editor_fileinfo_cleanup (ec);
+ 

--- End Message ---

--- Begin Message ---

• To: 767975-done@bugs.debian.org, 779670-done@bugs.debian.org, 787900-done@bugs.debian.org, 798091-done@bugs.debian.org, 798334-done@bugs.debian.org, 800877-done@bugs.debian.org, 801201-done@bugs.debian.org, 801317-done@bugs.debian.org, 801405-done@bugs.debian.org, 802371-done@bugs.debian.org, 802878-done@bugs.debian.org, 803387-done@bugs.debian.org, 803745-done@bugs.debian.org, 804159-done@bugs.debian.org, 804209-done@bugs.debian.org, 805216-done@bugs.debian.org, 805924-done@bugs.debian.org, 806166-done@bugs.debian.org, 806339-done@bugs.debian.org, 806724-done@bugs.debian.org, 807490-done@bugs.debian.org, 808901-done@bugs.debian.org, 809687-done@bugs.debian.org, 810761-done@bugs.debian.org, 812363-done@bugs.debian.org, 812881-done@bugs.debian.org, 813623-done@bugs.debian.org, 814544-done@bugs.debian.org, 814569-done@bugs.debian.org, 815613-done@bugs.debian.org, 816002-done@bugs.debian.org, 818007-done@bugs.debian.org, 818225-done@bugs.debian.org, 818531-done@bugs.debian.org, 818710-done@bugs.debian.org, 819202-done@bugs.debian.org, 819244-done@bugs.debian.org
• Subject: Fix included in oldstable
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 02 Apr 2016 14:22:42 +0100
• Message-id: <1459603362.2441.217.camel@adam-barratt.org.uk>

Version: 7.10

Hi,

The updates referenced in these bugs were included in today's wheezy
point release.

Regards,

Adam

--- End Message ---