--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mat 0.6.1-4, that fixes:
* a bug with security implications (Jessie is not affected): one of the
operation modes of MAT silently fails to clean metadata;
* the --backup option, which is required to fix the aforementioned
bug.
Both patches are minimal, trivial fixes cherry-picked from upstream; but to be
fair, I have authored them upstream in the first place. I've asked the current
upstream maintainer to request a CVE and put a new upstream release out.
autopkgtests pass locally, ci.debian.net hasn't tested the package yet.
unblock mat/0.6.1-4
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
changelog | 13 ++++++
patches/Make-the-Nautilus-extension-work-again.patch | 31 +++++++++++++++
patches/Revert-Improves-a-bit-portability.patch | 38 +++++++++++++++++++
patches/series | 2 +
4 files changed, 84 insertions(+)
diff -Nru mat-0.6.1/debian/changelog mat-0.6.1/debian/changelog
--- mat-0.6.1/debian/changelog 2016-08-26 08:40:53.000000000 +0000
+++ mat-0.6.1/debian/changelog 2017-03-18 11:28:06.000000000 +0000
@@ -1,3 +1,16 @@
+mat (0.6.1-4) unstable; urgency=medium
+
+ * New patch (Make-the-Nautilus-extension-work-again.patch) cherry-picked
+ from upstream: fix the Nautilus extension silently failing
+ (Closes: #858058).
+ * New patch (Revert-Improves-a-bit-portability.patch), cherry-picked
+ from upstream: fix the --backup option. This option is not only available
+ in all interfaces (CLI, GUI), but it's forcibly enabled in the Nautilus
+ extension, so it has to work for the Nautilus extension to work.
+ Thus, this additional change is needed to fully fix #858058.
+
+ -- intrigeri <intrigeri@debian.org> Sat, 18 Mar 2017 11:28:06 +0000
+
mat (0.6.1-3) unstable; urgency=medium
* Update documentation of recommended packages in README.Debian.
diff -Nru mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch
--- mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch 1970-01-01 00:00:00.000000000 +0000
+++ mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch 2017-03-18 11:28:06.000000000 +0000
@@ -0,0 +1,31 @@
+From: intrigeri <intrigeri@boum.org>
+Date: Sat, 18 Mar 2017 08:31:27 +0000
+Debian-Bug: https://bugs.debian.org/858058
+Origin: https://0xacab.org/mat/mat/commit/94ca62a429bb6a3a5f293de26053e54bbfeea9f9
+Subject: Make the Nautilus extension work again.
+
+It was broken since commit 0d1fe2555e90db35eeb531a1b6026ff64f1f5ae5,
+i.e. in the MAT 0.6 and 0.6.1 releases.
+
+The impact is: the MAT extension for Nautilus fails to clean metadata,
+without making the user aware of it.
+
+This bug was discovered by the Tails contributor sajolida, and initially
+reported to Debian as https://bugs.debian.org/858058.
+---
+ nautilus/nautilus-mat.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nautilus/nautilus-mat.py b/nautilus/nautilus-mat.py
+index 0974bef..7c2d740 100644
+--- a/nautilus/nautilus-mat.py
++++ b/nautilus/nautilus-mat.py
+@@ -77,7 +77,7 @@ class MatExtension(GObject.GObject, Nautilus.MenuProvider):
+ :param current_file: Name of the selected file
+ :param menu: Menu id from which the callback was activated. Unused.
+ """
+- if file.is_gone():
++ if current_file.is_gone():
+ return
+
+ # files url in nautilus are starting with 'file://', of length 7
diff -Nru mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch
--- mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch 1970-01-01 00:00:00.000000000 +0000
+++ mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch 2017-03-18 11:28:06.000000000 +0000
@@ -0,0 +1,38 @@
+From: intrigeri <intrigeri@boum.org>
+Date: Sat, 18 Mar 2017 11:21:57 +0000
+Origin: https://0xacab.org/mat/mat/commit/8f6303a1f26fe8dad83ba96ab8328dbdfa3af59a
+Bug-Upstream: https://0xacab.org/mat/mat/issues/11526
+Subject: Revert "Improves a bit portability"
+
+This reverts commit d054e313d7d83ec0089f7e0efe6b8a988fe99b3a.
+
+os.path.join is *not* suitable for concatenating parts of the basename of
+a file.
+
+Closes: #11526
+---
+ libmat/parser.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libmat/parser.py b/libmat/parser.py
+index 2a82a25..1b58f87 100644
+--- a/libmat/parser.py
++++ b/libmat/parser.py
+@@ -51,7 +51,7 @@ class GenericParser(object):
+ def create_backup_copy(self):
+ """ Create a backup copy
+ """
+- shutil.copy2(self.filename, os.path.join(self.filename, '.bak'))
++ shutil.copy2(self.filename, self.filename + '.bak')
+
+ def do_backup(self):
+ """ Keep a backup of the file if asked.
+@@ -60,7 +60,7 @@ class GenericParser(object):
+ but it greatly simplify new strippers implementation.
+ """
+ if self.backup:
+- shutil.move(self.filename, os.path.join(self.filename, '.bak'))
++ shutil.move(self.filename, self.filename + '.bak')
+ else:
+ mat.secure_remove(self.filename)
+ shutil.move(self.output, self.filename)
diff -Nru mat-0.6.1/debian/patches/series mat-0.6.1/debian/patches/series
--- mat-0.6.1/debian/patches/series 2016-08-26 08:40:53.000000000 +0000
+++ mat-0.6.1/debian/patches/series 2017-03-18 11:28:06.000000000 +0000
@@ -1 +1,3 @@
Disable-PDF-support.-Closes-826101.patch
+Make-the-Nautilus-extension-work-again.patch
+Revert-Improves-a-bit-portability.patch
--- End Message ---