[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#806640: jessie-pu: package gummi/0.6.5-3+deb8u1

On 01.01.2016 18:50, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Sun, 2015-11-29 at 18:24 +0100, Daniel Stender wrote:
>> I propose an update of Gummi in Jessie.
>>
>> The applied patch is a fix of security problem CVE 2015-7758 [1].
> 
> +-        ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
> +-        ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
> +-        ec->pdffile =  g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
> +-                                       G_DIR_SEPARATOR, base);
> ++        ec->basename = g_strdup (ec->fdname);
> ++        ec->workfile = g_strdup (ec->fdname);
> ++        ec->pdffile =  g_strdup_printf ("%s.pdf", ec->fdname);
> 
> Apologies if I'm missing something, particularly what "workfile" refers
> to in this case, but does this run the risk of overwriting the original
> file?
> 
> Regards,
> 
> Adam

"workfile" is misleading. With the patch $ gummi /tmp/test.tex
results in tempfiles:

/tmp/gummi_ZIYFAY
/tmp/gummi_ZIYFAY.aux
/tmp/gummi_ZIYFAY.log
/tmp/gummi_ZIYFAY.pdf
/tmp/gummi_ZIYFAY.synctex.gz

ec->workfile being "gummi_ZIYFAY" (like when no filename is given. I've suggested
upstream to rewrite that, though).

DS

-- 
4096R/DF5182C8
46CB 1CA8 9EA3 B743 7676 1DB9 15E0 9AF4 DF51 82C8
LPI certified Linux admin (LPI000329859 64mz6f7kt4)
http://www.danielstender.com/blog/
Reply to: