Your message dated Sat, 02 Apr 2016 14:22:42 +0100
with message-id <[email protected]>
and subject line Fix included in oldstable
has caused the Debian Bug report #806724,
regarding wheezy-pu: package gummi/0.6.3-1.2+deb7u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
806724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806724
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Hi,
I propose an update of Gummi also in Wheezy.
The applied patch is a fix of security problem CVE 2015-7758 [1].
The security team marked this issue as minor/no-DSA [2], so I would upload
it to oldstable as proposed update.
Please see the attached debdiff for details of changes. I've build the
package against oldstable [3].
Thanks
Daniel Stender
[1] https://bugs.debian.org/756432
[2] https://security-tracker.debian.org/tracker/source-package/gummi
[3]
http://www.danielstender.com/buildlogs/gummi_0.6.3-1.2+deb7u1_amd64-20151130-1409.build
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru gummi-0.6.3/debian/changelog gummi-0.6.3/debian/changelog
--- gummi-0.6.3/debian/changelog 2012-09-30 17:29:02.000000000 +0200
+++ gummi-0.6.3/debian/changelog 2015-11-30 14:07:51.000000000 +0100
@@ -1,3 +1,9 @@
+gummi (0.6.3-1.2+deb7u1) oldstable; urgency=medium
+
+ * Added no-predictable-tmpfiles.patch, fix of CVE 2015-7758 (Closes: #756432).
+
+ -- Daniel Stender <[email protected]> Mon, 30 Nov 2015 14:06:45 +0100
+
gummi (0.6.3-1.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch
--- gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 1970-01-01 01:00:00.000000000 +0100
+++ gummi-0.6.3/debian/patches/no-predictable-tmpfiles.patch 2015-11-30 14:06:23.000000000 +0100
@@ -0,0 +1,39 @@
+Description: don't generate predictable tmpfile names if filename is given
+ Quick fix for CVE-2015-7758 (#756432).
+Author: Daniel Stender <[email protected]>
+Bug: https://bugs.debian.org/756432
+Forwarded: https://github.com/alexandervdm/gummi/issues/20
+Last-Update: 2015-11-29
+
+--- a/src/editor.c
++++ b/src/editor.c
+@@ -204,10 +204,9 @@
+ gchar* base = g_path_get_basename (filename);
+ gchar* dir = g_path_get_dirname (filename);
+ ec->filename = g_strdup (filename);
+- ec->basename = g_strdup_printf ("%s%c.%s", dir, G_DIR_SEPARATOR, base);
+- ec->workfile = g_strdup_printf ("%s.swp", ec->basename);
+- ec->pdffile = g_strdup_printf ("%s%c.%s.pdf", C_TMPDIR,
+- G_DIR_SEPARATOR, base);
++ ec->basename = g_strdup (ec->fdname);
++ ec->workfile = g_strdup (ec->fdname);
++ ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname);
+ g_free (base);
+ g_free (dir);
+ } else {
+@@ -237,12 +236,9 @@
+ if (ec->filename) {
+ gchar* dirname = g_path_get_dirname (ec->filename);
+ gchar* basename = g_path_get_basename (ec->filename);
+- auxfile = g_strdup_printf ("%s%c.%s.aux", C_TMPDIR,
+- G_DIR_SEPARATOR, basename);
+- logfile = g_strdup_printf ("%s%c.%s.log", C_TMPDIR,
+- G_DIR_SEPARATOR, basename);
+- syncfile = g_strdup_printf ("%s%c.%s.synctex.gz", C_TMPDIR,
+- G_DIR_SEPARATOR, basename);
++ auxfile = g_strdup_printf ("%s.aux", ec->fdname);
++ logfile = g_strdup_printf ("%s.log", ec->fdname);
++ syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname);
+ g_free (basename);
+ g_free (dirname);
+ } else {
diff -Nru gummi-0.6.3/debian/patches/series gummi-0.6.3/debian/patches/series
--- gummi-0.6.3/debian/patches/series 2012-09-30 17:24:55.000000000 +0200
+++ gummi-0.6.3/debian/patches/series 2015-11-30 14:06:41.000000000 +0100
@@ -1,2 +1,3 @@
libgthread-2.0_link.patch
fix_fd_leak.patch
+no-predictable-tmpfiles.patch
--- End Message ---
--- Begin Message ---
Version: 7.10
Hi,
The updates referenced in these bugs were included in today's wheezy
point release.
Regards,
Adam
--- End Message ---
