Hello community, here is the log from the commit of package gummi for openSUSE:Factory checked in at 2015-12-24 12:16:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gummi (Old) and /work/SRC/openSUSE:Factory/.gummi.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gummi" Changes: -------- --- /work/SRC/openSUSE:Factory/gummi/gummi.changes 2015-01-20 12:36:19.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gummi.new/gummi.changes 2015-12-24 12:16:43.000000000 +0100 @@ -1,0 +2,14 @@ +Thu Dec 17 01:53:28 UTC 2015 - badshah400@gmail.com + +- Update to 0.7.4.3: + + No changelog entry. +- Add patch gummi-predictable-tmpfiles.patch to fix an exploitable + issue caused by gummi setting predictable file names in /tmp + (CVE-2015-7758, gh#alexandervdm/gummi#20, boo#949682). +- Add gummi-incorrect-desktop-file-version.patch to remove the + version tag from .desktop file, it is not meant to indicate pkg + version and causes rpmlint warnings. +- Rebase gummi-fix-crash-on-opening-file.patch for updated + version. + +------------------------------------------------------------------- Old: ---- gummi-gtk3_0.7.1.orig.tar.gz New: ---- gummi-gtk3_0.7.4.3.orig.tar.gz gummi-incorrect-desktop-file-version.patch gummi-predictable-tmpfiles.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gummi.spec ++++++ --- /var/tmp/diff_new_pack.ZnQR8d/_old 2015-12-24 12:16:45.000000000 +0100 +++ /var/tmp/diff_new_pack.ZnQR8d/_new 2015-12-24 12:16:45.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package gummi # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: gummi -Version: 0.7.1 +Version: 0.7.4.3 Release: 0 Summary: Simple LaTeX editor License: MIT @@ -27,6 +27,10 @@ Source0: https://launchpad.net/~gummi/+archive/ubuntu/gummi/+files/%{name}-gtk3_%{version}.orig.tar.gz # PATCH-FIX-UPSTREAM gummi-fix-crash-on-opening-file.patch bnc#840589 hpj@suse.com -- Fix crash on opening file from the GUI. Patch1: gummi-fix-crash-on-opening-file.patch +# PATCH-FIX-UPSTREAM gummi-predictable-tmpfiles.patch CVE-2015-7758 gh#alexandervdm/gummi#20 boo#949682 badshah400@gmail.com -- Fix predictable file names in /tmp +Patch2: gummi-predictable-tmpfiles.patch +# PATCH-FIX-UPSTREAM gummi-incorrect-desktop-file-version.patch badshah400@gmail.com -- Remove the version tag from .desktop file, it is not meant to indicate pkg version and causes rpmlint warnings +Patch3: gummi-incorrect-desktop-file-version.patch BuildRequires: fdupes BuildRequires: intltool BuildRequires: pkg-config @@ -53,6 +57,8 @@ %prep %setup -q -n %{name}-gtk3-%{version} %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %configure ++++++ gummi-fix-crash-on-opening-file.patch ++++++ --- /var/tmp/diff_new_pack.ZnQR8d/_old 2015-12-24 12:16:45.000000000 +0100 +++ /var/tmp/diff_new_pack.ZnQR8d/_new 2015-12-24 12:16:45.000000000 +0100 @@ -1,14 +1,14 @@ Upstream bug: http://dev.midnightcoding.org/issues/498 -diff --git a/src/gui/gui-tabmanager.c b/src/gui/gui-tabmanager.c -index 4056faf..c7b7c09 100644 ---- a/src/gui/gui-tabmanager.c -+++ b/src/gui/gui-tabmanager.c -@@ -165,12 +165,13 @@ +Index: gummi-gtk3-0.7.4.3/src/gui/gui-tabmanager.c +=================================================================== +--- gummi-gtk3-0.7.4.3.orig/src/gui/gui-tabmanager.c ++++ gummi-gtk3-0.7.4.3/src/gui/gui-tabmanager.c +@@ -166,11 +166,13 @@ gchar* tabmanagergui_get_labeltext(GuTab gint tabmanagergui_replace_page(GuTabContext* tc, GuEditor* newec) { + GtkWidget *scrolled_view = GTK_WIDGET (g_active_editor->view); - ++ gummi->tabmanager->active_tab->editor = newec; - gtk_container_remove(GTK_CONTAINER(tc->page->scrollw), @@ -16,6 +16,6 @@ editor_destroy(g_active_editor); + gtk_container_remove (GTK_CONTAINER (tc->page->scrollw), + scrolled_view); + + g_object_ref(newec->view); gtk_container_add(GTK_CONTAINER(tc->page->scrollw), - GTK_WIDGET(newec->view)); - gtk_widget_show(GTK_WIDGET(newec->view)); ++++++ gummi-gtk3_0.7.1.orig.tar.gz -> gummi-gtk3_0.7.4.3.orig.tar.gz ++++++ /work/SRC/openSUSE:Factory/gummi/gummi-gtk3_0.7.1.orig.tar.gz /work/SRC/openSUSE:Factory/.gummi.new/gummi-gtk3_0.7.4.3.orig.tar.gz differ: char 5, line 1 ++++++ gummi-incorrect-desktop-file-version.patch ++++++ Index: gummi-gtk3-0.7.4.3/data/misc/gummi.desktop.in =================================================================== --- gummi-gtk3-0.7.4.3.orig/data/misc/gummi.desktop.in +++ gummi-gtk3-0.7.4.3/data/misc/gummi.desktop.in @@ -1,5 +1,4 @@ [Desktop Entry] -Version=@PACKAGE_VERSION@ Name=@PACKAGE_NAME@ GenericName=LaTeX Editor Comment=Simple LaTeX Editor ++++++ gummi-predictable-tmpfiles.patch ++++++ Index: gummi-gtk3-0.7.4.3/src/editor.c =================================================================== --- gummi-gtk3-0.7.4.3.orig/src/editor.c +++ gummi-gtk3-0.7.4.3/src/editor.c @@ -224,10 +224,9 @@ void editor_fileinfo_update(GuEditor* ec gchar* base = g_path_get_basename(fname); gchar* dir = g_path_get_dirname(fname); ec->filename = g_strdup(fname); - ec->basename = g_strdup_printf("%s%c.%s", dir, G_DIR_SEPARATOR, base); - ec->workfile = g_strdup_printf("%s.swp", ec->basename); - ec->pdffile = g_strdup_printf("%s%c.%s.pdf", C_TMPDIR, - G_DIR_SEPARATOR, base); + ec->basename = g_strdup (ec->fdname); + ec->workfile = g_strdup (ec->fdname); + ec->pdffile = g_strdup_printf ("%s.pdf", ec->fdname); g_free(fname); g_free(base); g_free(dir); @@ -260,12 +259,9 @@ void editor_fileinfo_cleanup(GuEditor* e if (ec->filename) { gchar* dirname = g_path_get_dirname(ec->filename); gchar* basename = g_path_get_basename(ec->filename); - auxfile = g_strdup_printf("%s%c.%s.aux", C_TMPDIR, - G_DIR_SEPARATOR, basename); - logfile = g_strdup_printf("%s%c.%s.log", C_TMPDIR, - G_DIR_SEPARATOR, basename); - syncfile = g_strdup_printf("%s%c.%s.synctex.gz", C_TMPDIR, - G_DIR_SEPARATOR, basename); + auxfile = g_strdup_printf ("%s.aux", ec->fdname); + logfile = g_strdup_printf ("%s.log", ec->fdname); + syncfile = g_strdup_printf ("%s.synctex.gz", ec->fdname); g_free(basename); g_free(dirname); } else {