Bug#806640: jessie-pu: package gummi/0.6.5-3+deb8u1
Control: tags -1 -moreinfo +confirmed
On Fri, 2016-01-01 at 19:08 +0100, Daniel Stender wrote:
> On 01.01.2016 18:50, Adam D. Barratt wrote:
> > Control: tags -1 + moreinfo
> >
> > On Sun, 2015-11-29 at 18:24 +0100, Daniel Stender wrote:
> >> I propose an update of Gummi in Jessie.
> >>
> >> The applied patch is a fix of security problem CVE 2015-7758 [1].
> >
> > +- ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
> > +- ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
> > +- ec->pdffile = g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
> > +- G_DIR_SEPARATOR, base);
> > ++ ec->basename = g_strdup (ec->fdname);
> > ++ ec->workfile = g_strdup (ec->fdname);
> > ++ ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname);
> >
> > Apologies if I'm missing something, particularly what "workfile" refers
> > to in this case, but does this run the risk of overwriting the original
> > file?
> >
> > Regards,
> >
> > Adam
>
> "workfile" is misleading. With the patch $ gummi /tmp/test.tex
> results in tempfiles:
>
> /tmp/gummi_ZIYFAY
> /tmp/gummi_ZIYFAY.aux
> /tmp/gummi_ZIYFAY.log
> /tmp/gummi_ZIYFAY.pdf
> /tmp/gummi_ZIYFAY.synctex.gz
>
> ec->workfile being "gummi_ZIYFAY" (like when no filename is given. I've suggested
> upstream to rewrite that, though).
Ah, okay. Yes, that's slightly confusing naming, at least in isolation.
Please go ahead.
Regards,
Adam
Reply to: