Bug#809085: marked as done (RFS: sxiv/1.3.2-1)

[Debian Bug Tracking System]

Your message dated Fri, 1 Jan 2016 12:59:24 +0100
with message-id <20160101115924.ga6...@jwilk.net>
and subject line Re: Bug#809085: RFS: sxiv/1.3.2-1
has caused the Debian Bug report #809085,
regarding RFS: sxiv/1.3.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
809085: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809085
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: sponsorship-requests
Severity: normal

Dear mentors,

I am looking for a sponsor for my package "sxiv"

 * Package name    : sxiv
   Version         : 1.3.2-1
   Upstream Author : Bert Munnich <be.muenn...@googlemail.com>
 * URL             : https://github.com/muennich/sxiv
 * License         : GPL-2.0+
   Section         : graphics

It builds those binary packages:

    sxiv  - simple X image viewer

To access further information about this package, please visit the
following URL:

  http://mentors.debian.net/package/sxiv

Alternatively, one can download the package with dget using this command:

    dget -x http://mentors.debian.net/debian/pool/main/s/sxiv/sxiv_1.3.2-1.dsc

More information about sxiv can be obtained from
https://github.com/muennich/sxiv

Changes since the last upload:

  * New upstream release.
  * debian/patches
    + Refresh install_icons.diff patch.
    + Refresh not_install_examples.diff patch.
    + Add fix_undefined_behaivor.diff patch.
      + Fix undefined behavior/uninitialised variables. (Closes: #795290)
         + Thanks to George Bradshaw for the patch
  * debian/sxiv.install
    + Install desktop file. (Closes: #796720)
  * remove sxiv.menu file.
    + Now is prohibited install both files (desktop and menu file).
  * debian/copyright
    + Extend copyright holders years.

Regards,
Daniel Echeverry

-- 
Daniel Echeverry
http://wiki.debian.org/DanielEcheverry
Linux user: #477840
Debian user
Software libre

--- End Message ---

--- Begin Message ---

* Daniel Echeverry <epsilo...@gmail.com>, 2015-12-27, 12:50:

exec/key-handler uses temporary files insecurely.

Could you give me some info about this? I am confused, please point me out to some useful url, thanks

The code in question does:

readonly TMPFILE="/tmp/sxiv.$$"
# ...
       cat >"$TMPFILE"

So the file name is predictable, which means another local user could easily create file with the same name. Moreover, contrary to Policy §10.4, the script doesn't fail when the file already exist.

The correct way to create temporary files in shell scripts is to use mktemp(1).

This is only an example script, which doesn't work out of the box on Debian systems anyway (because we don't have iptckwed packaged), so I uploaded the package. But please bring this issue upstream.

--
Jakub Wilk

--- End Message ---