Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mat 0.6.1-4, that fixes: * a bug with security implications (Jessie is not affected): one of the operation modes of MAT silently fails to clean metadata; * the --backup option, which is required to fix the aforementioned bug. Both patches are minimal, trivial fixes cherry-picked from upstream; but to be fair, I have authored them upstream in the first place. I've asked the current upstream maintainer to request a CVE and put a new upstream release out. autopkgtests pass locally, ci.debian.net hasn't tested the package yet. unblock mat/0.6.1-4 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (990, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
changelog | 13 ++++++ patches/Make-the-Nautilus-extension-work-again.patch | 31 +++++++++++++++ patches/Revert-Improves-a-bit-portability.patch | 38 +++++++++++++++++++ patches/series | 2 + 4 files changed, 84 insertions(+) diff -Nru mat-0.6.1/debian/changelog mat-0.6.1/debian/changelog --- mat-0.6.1/debian/changelog 2016-08-26 08:40:53.000000000 +0000 +++ mat-0.6.1/debian/changelog 2017-03-18 11:28:06.000000000 +0000 @@ -1,3 +1,16 @@ +mat (0.6.1-4) unstable; urgency=medium + + * New patch (Make-the-Nautilus-extension-work-again.patch) cherry-picked + from upstream: fix the Nautilus extension silently failing + (Closes: #858058). + * New patch (Revert-Improves-a-bit-portability.patch), cherry-picked + from upstream: fix the --backup option. This option is not only available + in all interfaces (CLI, GUI), but it's forcibly enabled in the Nautilus + extension, so it has to work for the Nautilus extension to work. + Thus, this additional change is needed to fully fix #858058. + + -- intrigeri <intrig...@debian.org> Sat, 18 Mar 2017 11:28:06 +0000 + mat (0.6.1-3) unstable; urgency=medium * Update documentation of recommended packages in README.Debian. diff -Nru mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch --- mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch 1970-01-01 00:00:00.000000000 +0000 +++ mat-0.6.1/debian/patches/Make-the-Nautilus-extension-work-again.patch 2017-03-18 11:28:06.000000000 +0000 @@ -0,0 +1,31 @@ +From: intrigeri <intrig...@boum.org> +Date: Sat, 18 Mar 2017 08:31:27 +0000 +Debian-Bug: https://bugs.debian.org/858058 +Origin: https://0xacab.org/mat/mat/commit/94ca62a429bb6a3a5f293de26053e54bbfeea9f9 +Subject: Make the Nautilus extension work again. + +It was broken since commit 0d1fe2555e90db35eeb531a1b6026ff64f1f5ae5, +i.e. in the MAT 0.6 and 0.6.1 releases. + +The impact is: the MAT extension for Nautilus fails to clean metadata, +without making the user aware of it. + +This bug was discovered by the Tails contributor sajolida, and initially +reported to Debian as https://bugs.debian.org/858058. +--- + nautilus/nautilus-mat.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nautilus/nautilus-mat.py b/nautilus/nautilus-mat.py +index 0974bef..7c2d740 100644 +--- a/nautilus/nautilus-mat.py ++++ b/nautilus/nautilus-mat.py +@@ -77,7 +77,7 @@ class MatExtension(GObject.GObject, Nautilus.MenuProvider): + :param current_file: Name of the selected file + :param menu: Menu id from which the callback was activated. Unused. + """ +- if file.is_gone(): ++ if current_file.is_gone(): + return + + # files url in nautilus are starting with 'file://', of length 7 diff -Nru mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch --- mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch 1970-01-01 00:00:00.000000000 +0000 +++ mat-0.6.1/debian/patches/Revert-Improves-a-bit-portability.patch 2017-03-18 11:28:06.000000000 +0000 @@ -0,0 +1,38 @@ +From: intrigeri <intrig...@boum.org> +Date: Sat, 18 Mar 2017 11:21:57 +0000 +Origin: https://0xacab.org/mat/mat/commit/8f6303a1f26fe8dad83ba96ab8328dbdfa3af59a +Bug-Upstream: https://0xacab.org/mat/mat/issues/11526 +Subject: Revert "Improves a bit portability" + +This reverts commit d054e313d7d83ec0089f7e0efe6b8a988fe99b3a. + +os.path.join is *not* suitable for concatenating parts of the basename of +a file. + +Closes: #11526 +--- + libmat/parser.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libmat/parser.py b/libmat/parser.py +index 2a82a25..1b58f87 100644 +--- a/libmat/parser.py ++++ b/libmat/parser.py +@@ -51,7 +51,7 @@ class GenericParser(object): + def create_backup_copy(self): + """ Create a backup copy + """ +- shutil.copy2(self.filename, os.path.join(self.filename, '.bak')) ++ shutil.copy2(self.filename, self.filename + '.bak') + + def do_backup(self): + """ Keep a backup of the file if asked. +@@ -60,7 +60,7 @@ class GenericParser(object): + but it greatly simplify new strippers implementation. + """ + if self.backup: +- shutil.move(self.filename, os.path.join(self.filename, '.bak')) ++ shutil.move(self.filename, self.filename + '.bak') + else: + mat.secure_remove(self.filename) + shutil.move(self.output, self.filename) diff -Nru mat-0.6.1/debian/patches/series mat-0.6.1/debian/patches/series --- mat-0.6.1/debian/patches/series 2016-08-26 08:40:53.000000000 +0000 +++ mat-0.6.1/debian/patches/series 2017-03-18 11:28:06.000000000 +0000 @@ -1 +1,3 @@ Disable-PDF-support.-Closes-826101.patch +Make-the-Nautilus-extension-work-again.patch +Revert-Improves-a-bit-portability.patch