Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi, I propose an update of Gummi also in Wheezy. The applied patch is a fix of security problem CVE 2015-7758 [1]. The security team marked this issue as minor/no-DSA [2], so I would upload it to oldstable as proposed update. Please see the attached debdiff for details of changes. I've build the package against oldstable [3]. Thanks Daniel Stender [1] https://bugs.debian.org/756432 [2] https://security-tracker.debian.org/tracker/source-package/gummi [3] http://www.danielstender.com/buildlogs/gummi_0.6.3-1.2+deb7u1_amd64-20151130-1409.build -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru gummi-0.6.3/debian/changelog gummi-0.6.3/debian/changelog --- gummi-0.6.3/debian/changelog 2012-09-30 17:29:02.000000000 +0200 +++ gummi-0.6.3/debian/changelog 2015-11-30 14:07:51.000000000 +0100 @@ -1,3 +1,9 @@ +gummi (0.6.3-1.2+deb7u1) oldstable; urgency=medium + + * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432). + + -- Daniel Stender <deb...@danielstender.com> Mon, 30 Nov 2015 14:06:45 +0100 + gummi (0.6.3-1.2) unstable; urgency=low * Non-maintainer upload. diff -Nru gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch --- gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 1970-01-01 01:00:00.000000000 +0100 +++ gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 2015-11-30 14:06:23.000000000 +0100 @@ -0,0 +1,39 @@ +Description: don't generate predictable tmpfile names if filename is given + Quick fix for CVE-2015-7758 (#756432). +Author: Daniel Stender <deb...@danielstender.com> +Bug: https://bugs.debian.org/756432 +Forwarded: https://github.com/alexandervdm/gummi/issues/20 +Last-Update: 2015-11-29 + +--- a/src/editor.c ++++ b/src/editor.c +@@ -204,10 +204,9 @@ + gchar* base = g_path_get_basename (filename); + gchar* dir = g_path_get_dirname (filename); + ec->filename = g_strdup (filename); +- ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base); +- ec->workfile = g_strdup_printf ("%s.swp", ec->basename); +- ec->pdffile = g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR, +- G_DIR_SEPARATOR, base); ++ ec->basename = g_strdup (ec->fdname); ++ ec->workfile = g_strdup (ec->fdname); ++ ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname); + g_free (base); + g_free (dir); + } else { +@@ -237,12 +236,9 @@ + if (ec->filename) { + gchar* dirname = g_path_get_dirname (ec->filename); + gchar* basename = g_path_get_basename (ec->filename); +- auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR, +- G_DIR_SEPARATOR, basename); +- logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR, +- G_DIR_SEPARATOR, basename); +- syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR, +- G_DIR_SEPARATOR, basename); ++ auxfile = g_strdup_printf ("%s.aux", ec->fdname); ++ logfile = g_strdup_printf ("%s.log", ec->fdname); ++ syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname); + g_free (basename); + g_free (dirname); + } else { diff -Nru gummi-0.6.3/debian/patches/series gummi-0.6.3/debian/patches/series --- gummi-0.6.3/debian/patches/series 2012-09-30 17:24:55.000000000 +0200 +++ gummi-0.6.3/debian/patches/series 2015-11-30 14:06:41.000000000 +0100 @@ -1,2 +1,3 @@ libgthread-2.0_link.patch fix_fd_leak.patch +no-predictable-tmpfiles.patch
