Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <[email protected]>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #788064,
regarding wheezy-pu: package gamera/3.3.3-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
788064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=788064
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Hello release team,
I propose an update of gamera in wheezy, 3.3.3-2+deb7u1.
The new patch is a fix of CVE-2014-1937 [1].
Please see the attached debdiff for details.
The security issue has been considered as being minor/non-dsa,
therefore I would like to upload this as proposed update.
The related bug #737324 [2] have been closed already in Sid by gamera/3.4.1-1.
I've build the new package with sbuild against wheezy, please
see the buildlog here [3].
Thanks & greetings,
Daniel Stender
[1]: https://security-tracker.debian.org/tracker/CVE-2014-1937
[2]: https://bugs.debian.org/737324
python-gamera: CVE-2014-1937: insecure use of /tmp
[3]:
http://www.danielstender.com/buildlogs/gamera_3.3.3-2+deb7u1_amd64-20150608-0933.build
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru gamera-3.3.3/debian/changelog gamera-3.3.3/debian/changelog
--- gamera-3.3.3/debian/changelog 2015-06-07 10:02:47.000000000 +0200
+++ gamera-3.3.3/debian/changelog 2012-07-04 16:50:40.000000000 +0200
@@ -1,10 +1,3 @@
-gamera (3.3.3-2+deb7u1) oldstable; urgency=medium
-
- * add avoid_mktexmp.diff to fix CVE-2014-1937 (related bug #737324
- was closed in Sid by 3.4.1-1).
-
- -- Daniel Stender <[email protected]> Sun, 07 Jun 2015 10:00:40 +0200
-
gamera (3.3.3-2) unstable; urgency=low
* DEP-8 tests: use $ADTTMP.
diff -Nru gamera-3.3.3/debian/patches/avoid_mktemp.diff gamera-3.3.3/debian/patches/avoid_mktemp.diff
--- gamera-3.3.3/debian/patches/avoid_mktemp.diff 2015-06-07 10:00:10.000000000 +0200
+++ gamera-3.3.3/debian/patches/avoid_mktemp.diff 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-Description: avoid use of insecure tmpfile.mktemp()
- fix of CVE-2014-1937
-Author: Daniel Stender <[email protected]>
-Bug: https://bugs.debian.org/737324
-
---- a/gamera/io.py
-+++ b/gamera/io.py
-@@ -944,7 +944,7 @@
- raise ValueError, "type can be 'i', 'f' or 'd' in load()"
-
- ## STRIP OUT % AND # LINES
-- tmpname = tempfile.mktemp()
-+ tmpname = tempfile.NamedTemporaryFile(delete=False).name
- if sys.platform == 'win32':
- # NT VERSION OF GREP DOESN'T DO THE STRIPPING ... SIGH
- cmd = "grep.exe -v \'%\' "+fname+" > "+tmpname
diff -Nru gamera-3.3.3/debian/patches/series gamera-3.3.3/debian/patches/series
--- gamera-3.3.3/debian/patches/series 2015-06-07 09:55:48.000000000 +0200
+++ gamera-3.3.3/debian/patches/series 2012-05-26 21:19:52.000000000 +0200
@@ -9,4 +9,3 @@
nosetests.diff
trap-errors-from-pclose.diff
pil-import.diff
-avoid_mktemp.diff
--- End Message ---
--- Begin Message ---
Version: 7.9
Hi,
These bugs relate to updates which were included in the 7.9 point
release.
Regards,
Adam
--- End Message ---
