Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hello release team, I propose an update of gamera in wheezy, 3.3.3-2+deb7u1. The new patch is a fix of CVE-2014-1937 [1]. Please see the attached debdiff for details. The security issue has been considered as being minor/non-dsa, therefore I would like to upload this as proposed update. The related bug #737324 [2] have been closed already in Sid by gamera/3.4.1-1. I've build the new package with sbuild against wheezy, please see the buildlog here [3]. Thanks & greetings, Daniel Stender [1]: https://security-tracker.debian.org/tracker/CVE-2014-1937 [2]: https://bugs.debian.org/737324 python-gamera: CVE-2014-1937: insecure use of /tmp [3]: http://www.danielstender.com/buildlogs/gamera_3.3.3-2+deb7u1_amd64-20150608-0933.build -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru gamera-3.3.3/debian/changelog gamera-3.3.3/debian/changelog --- gamera-3.3.3/debian/changelog 2015-06-07 10:02:47.000000000 +0200 +++ gamera-3.3.3/debian/changelog 2012-07-04 16:50:40.000000000 +0200 @@ -1,10 +1,3 @@ -gamera (3.3.3-2+deb7u1) oldstable; urgency=medium - - * add avoid_mktexmp.diff to fix CVE-2014-1937 (related bug #737324 - was closed in Sid by 3.4.1-1). - - -- Daniel Stender <[email protected]> Sun, 07 Jun 2015 10:00:40 +0200 - gamera (3.3.3-2) unstable; urgency=low * DEP-8 tests: use $ADTTMP. diff -Nru gamera-3.3.3/debian/patches/avoid_mktemp.diff gamera-3.3.3/debian/patches/avoid_mktemp.diff --- gamera-3.3.3/debian/patches/avoid_mktemp.diff 2015-06-07 10:00:10.000000000 +0200 +++ gamera-3.3.3/debian/patches/avoid_mktemp.diff 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -Description: avoid use of insecure tmpfile.mktemp() - fix of CVE-2014-1937 -Author: Daniel Stender <[email protected]> -Bug: https://bugs.debian.org/737324 - ---- a/gamera/io.py -+++ b/gamera/io.py -@@ -944,7 +944,7 @@ - raise ValueError, "type can be 'i', 'f' or 'd' in load()" - - ## STRIP OUT % AND # LINES -- tmpname = tempfile.mktemp() -+ tmpname = tempfile.NamedTemporaryFile(delete=False).name - if sys.platform == 'win32': - # NT VERSION OF GREP DOESN'T DO THE STRIPPING ... SIGH - cmd = "grep.exe -v \'%\' "+fname+" > "+tmpname diff -Nru gamera-3.3.3/debian/patches/series gamera-3.3.3/debian/patches/series --- gamera-3.3.3/debian/patches/series 2015-06-07 09:55:48.000000000 +0200 +++ gamera-3.3.3/debian/patches/series 2012-05-26 21:19:52.000000000 +0200 @@ -9,4 +9,3 @@ nosetests.diff trap-errors-from-pclose.diff pil-import.diff -avoid_mktemp.diff
