From ${URL} : This is how djvudigital uses temporary files: djvutext="/tmp/dj$$.ps" trap "rm 2>/dev/null $djvutext" 0 cat > $djvutext <<\EOF (ps2utf8.ps) runlibfile currentglobal /setglobal load true setglobal .ps2utf8 begin /onpage { } bind def /onfont { pop pop pop } bind def /onmark { pop pop pop pop currentx currenty currentpoint .djvutextmark } bind def end exec EOF This is insecure because the filename is predictable and, more importantly, the program doesn't fail atomically if the file already exists. Please use mktemp(1) for creating temporary files. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream fix: https://sourceforge.net/p/djvu/djvulibre-git/ci/66647db87653477014b345aa5713969d4e48a071/ which was improved later via https://sourceforge.net/p/djvu/djvulibre-git/ci/4d679d4781118ea4e009eeeebb2ca0a658972d14/ $ git tag --contains 66647db87653477014b345aa5713969d4e48a071 | sort debian/3.5.27.1-3 [...] Hopefully the next upstream release will contain the fix.
From $URL: Fixed in versions djvulibre/3.5.27.1-1, djvulibre/3.5.27.1-3
We need to stabilize app-text/djvu-3.5.27 for gcc-6 stabilization. So can we get a revbump for this security bug asap?
still not bumped...
Quite a few tags upstream with 66647db at this point. At more than 5 years since last release, perhaps it would be useful to just fix this with a patch+revbump. djvulibre-git $ git tag --contains 66647db debian/3.5.27.1-11 debian/3.5.27.1-12 debian/3.5.27.1-13 debian/3.5.27.1-14 debian/3.5.27.1-3 debian/3.5.27.1-4 debian/3.5.27.1-5 debian/3.5.27.1-6 debian/3.5.27.1-7 debian/3.5.27.1-9
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=703e79f63d52413d37f850ca62c1cabcc1606d70 commit 703e79f63d52413d37f850ca62c1cabcc1606d70 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-06-13 06:56:45 +0000 Commit: Mikle Kolyada <zlogene@gentoo.org> CommitDate: 2020-06-13 09:35:02 +0000 app-text/djvu: Security bump Bump to upstream tag debian/3.5.27.1-14, which includes fixes for numerous security issues. Bug: https://bugs.gentoo.org/536720 Bug: https://bugs.gentoo.org/718552 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16210 Signed-off-by: Mikle Kolyada <zlogene@gentoo.org> app-text/djvu/Manifest | 1 + app-text/djvu/djvu-3.5.27-r2.ebuild | 73 +++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+)
arm stable
ppc64 stable
sparc stable
ppc stable
amd64 stable
x86 stable
hppa stable
arm64 stable ---- @maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a13ebb61d94c615ab2c68de08ab95746c1996c5 commit 3a13ebb61d94c615ab2c68de08ab95746c1996c5 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-06-25 22:53:18 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-28 20:54:14 +0000 app-text/djvu: Security cleanup Bug: https://bugs.gentoo.org/536720 Bug: https://bugs.gentoo.org/718552 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/16423 Signed-off-by: Aaron Bauman <bman@gentoo.org> app-text/djvu/Manifest | 1 - app-text/djvu/djvu-3.5.27-r1.ebuild | 68 ------------------------------------- 2 files changed, 69 deletions(-)
glsa opened.
This issue was resolved and addressed in GLSA 202007-36 at https://security.gentoo.org/glsa/202007-36 by GLSA coordinator Sam James (sam_c).