The following commit has been merged in the master branch: commit cc62bb4f63f621bb30b96c3b31ee3d48e38dad6e Author: Sylvain Beucler <b...@beuc.net> Date: Thu May 27 21:17:56 2010 +0200
Several small fixes * Fix security issue in the shell wrapper, where LD_LIBRARY_PATH may be modified to include an empty directory (which means "current directory") * Fix missing 'not' in the package description: "it does not provide a way to display the cover art" * Fix download URL in debian/copyright * Fix a couple typos * Fix FTBFS with binutils-gold: specify -lm explicitly in the build system (patch sent upstream) (Closes: #554390) * Provide: zcode-interpreter, tads2-interpreter, tads3-interpreter as other packaged interpreters do (Closes: #579618) * Remove comments from the watch file because taste differs among DDs * Bump Standards-Version diff --git a/debian/changelog b/debian/changelog index ebe2e23..21ae111 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,20 @@ -gargoyle-free (2009-08-25-2) UNRELEASED; urgency=low +gargoyle-free (2009-08-25-2) unstable; urgency=high + * Fix security issue in the shell wrapper, where LD_LIBRARY_PATH may be + modified to include an empty directory (which means "current + directory") * Fix missing 'not' in the package description: "it does not provide a - way to display the cover art" + way to display the cover art" + * Fix download URL in debian/copyright + * Fix a couple typos + * Fix FTBFS with binutils-gold: specify -lm explicitly in the build + system (patch sent upstream) (Closes: #554390) + * Provide: zcode-interpreter, tads2-interpreter, tads3-interpreter as + other packaged interpreters do (Closes: #579618) + * Remove comments from the watch file because taste differs among DDs + * Bump Standards-Version - -- Sylvain Beucler <b...@beuc.net> Wed, 07 Oct 2009 21:53:38 +0200 + -- Sylvain Beucler <b...@beuc.net> Thu, 27 May 2010 21:31:47 +0200 gargoyle-free (2009-08-25-1) unstable; urgency=low diff --git a/debian/control b/debian/control index a61e505..73156bf 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: extra Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org> Uploaders: Sylvain Beucler <b...@beuc.net> Build-Depends: quilt, debhelper (>= 7), jam, libgtk2.0-dev, libpng12-dev, libjpeg62-dev, libsdl1.2-dev, libsdl-sound1.2-dev, libsdl-mixer1.2-dev, libfreetype6-dev, libfontconfig1-dev -Standards-Version: 3.8.3 +Standards-Version: 3.8.4 Homepage: http://ccxvii.net/gargoyle/ Vcs-Git: git://git.debian.org/git/pkg-games/gargoyle-free.git Vcs-Browser: http://git.debian.org/?p=pkg-games/gargoyle-free.git @@ -12,6 +12,7 @@ Vcs-Browser: http://git.debian.org/?p=pkg-games/gargoyle-free.git Package: gargoyle-free Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ttf-dejavu-core, ttf-dejavu-extra +Provides: zcode-interpreter, tads2-interpreter, tads3-interpreter Description: graphical player for Interactive Fiction games Gargoyle is an Interactive Fiction (text adventure) player that supports all the major interactive fiction formats. diff --git a/debian/copyright b/debian/copyright index 7c0ccc8..2060035 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,10 +4,10 @@ This package was debianized by: It was downloaded from: - http://ccxvii.net/gargoyle/ + http://code.google.com/p/garglk/ -To comply with the DSFG, the following directories and files were -removed to create the -dsfg tarball: +To comply with the DFSG, the following directories and files were +removed to create the -free tarball: - terps/alan2/: non-free license (need to register and cannot modify without author's permission), check @@ -34,7 +34,7 @@ removed to create the -dsfg tarball: - support/: for the sake of convenience (e.g. no need to declare it in this file), these external libraries are excluded from the - tarball, since they are only used for some developper builds, and + tarball, since they are only used for some developer builds, and are otherwise available in Debian already - terps/nitfol/z_io.c.orig: this source file is removed by 'jam diff --git a/debian/patches/fhs_locate_private_library.patch b/debian/patches/fhs_locate_private_library.patch index 79a9770..4af22de 100644 --- a/debian/patches/fhs_locate_private_library.patch +++ b/debian/patches/fhs_locate_private_library.patch @@ -2,8 +2,9 @@ Description: install sub-binaries and libraries in /usr/lib/gargoyle/ It would be better to link the binaries with rpath=/usr/lib/gargoyle, since the binaries may be used independently; however this may conflict with existing packages, - such as frotz, so I'm not sure -Forwarded: not yet + such as 'frotz', which would need to be divert'd. + Upstream plans to write a new launcher either in C or zenity. +Forwarded: http://groups.google.com/group/garglk-dev/browse_thread/thread/5a1aff855da9d9d8 Author: Sylvain Beucler <b...@beuc.net> Index: gargoyle-free/garglk/launcher.sh @@ -16,7 +17,7 @@ Index: gargoyle-free/garglk/launcher.sh then - abspath=`readlink -f $0` # get the full path of this script - dirpath=`dirname $abspath` # get directory part -+ # Modified in Debian to use /usr/lib/gargorle instead of the ++ # Modified in Debian to use /usr/lib/gargoyle instead of the + # current directory: + dirpath=/usr/lib/gargoyle # get directory part export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$dirpath diff --git a/debian/patches/ftbfs_binutils-gold.patch b/debian/patches/ftbfs_binutils-gold.patch new file mode 100644 index 0000000..fe7edbb --- /dev/null +++ b/debian/patches/ftbfs_binutils-gold.patch @@ -0,0 +1,20 @@ +Description: fix compilation with binutils-gold + Cf. #554390 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554390 +Forwarded: http://groups.google.com/group/garglk-dev/browse_thread/thread/693c4f32a655da56 +Author: Sylvain Beucler <b...@beuc.net> +Last-Update: 2010-10-27 + +Index: gargoyle-free/Jamrules +=================================================================== +--- gargoyle-free.orig/Jamrules 2010-05-27 20:25:25.000000000 +0200 ++++ gargoyle-free/Jamrules 2010-05-27 20:25:34.000000000 +0200 +@@ -49,7 +49,7 @@ + SHELLHEADER = "#!/bin/bash" ; + GARGLKCCFLAGS = "`$(PKGCONFIG) --cflags`" -fPIC ; + SHRLINKLIBS = "`$(PKGCONFIG) --libs`" -ljpeg -lpng -lz ; +- LINKLIBS = -lz ; ++ LINKLIBS = -lz -lm ; + + if $(USESDL) + { diff --git a/debian/patches/security_ld_preload.patch b/debian/patches/security_ld_preload.patch new file mode 100644 index 0000000..4aae26b --- /dev/null +++ b/debian/patches/security_ld_preload.patch @@ -0,0 +1,25 @@ +Description: don't look for libgarglk.so in the current directory +Forwarded: http://groups.google.com/group/garglk-dev/browse_thread/thread/1c92ab6f24d5ebe6 +Author: Sylvain Beucler <b...@beuc.net> + +Index: gargoyle-free/garglk/launcher.sh +=================================================================== +--- gargoyle-free.orig/garglk/launcher.sh 2010-05-27 20:54:36.000000000 +0200 ++++ gargoyle-free/garglk/launcher.sh 2010-05-27 20:58:15.000000000 +0200 +@@ -10,7 +10,15 @@ + # Modified in Debian to use /usr/lib/gargoyle instead of the + # current directory: + dirpath=/usr/lib/gargoyle # get directory part +- export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$dirpath ++ if [ -z "$LD_LIBRARY_PATH" ]; then ++ # Don't add an empty path (== current directory) to ++ # LD_LIBRARY_PATH, this would allow a user to trick another ++ # user into running gargoyle in a directory with a cracked ++ # libgarglk.so, and gain access to his/her account. ++ export LD_LIBRARY_PATH=$dirpath ++ else ++ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$dirpath ++ fi + else + dirpath=`dirname $0` + fi diff --git a/debian/patches/series b/debian/patches/series index b66ce69..9eb794e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,5 @@ dfsg_disable_alan.patch dfsg_disable_hugo.patch dfsg_replace_luximono_font.patch fhs_locate_private_library.patch +ftbfs_binutils-gold.patch +security_ld_preload.patch diff --git a/debian/watch b/debian/watch index 781a95d..fecceb1 100644 --- a/debian/watch +++ b/debian/watch @@ -1,23 +1,4 @@ -# You can run the "uscan" command -# to check for upstream updates and more. -# See uscan(1) for format - -# Compulsory line, this is a version 3 file version=3 -# Uncomment to examine a Webpage -# <Webpage URL> <string match> http://code.google.com/p/garglk/downloads/list \ http://garglk.googlecode.com/files/gargoyle-(.*)-sources\.zip - -# Uncomment to examine a Webserver directory -#http://www.example.com/pub/gargoyle-(.*)\.tar\.gz - -# Uncommment to examine a FTP server -#ftp://ftp.example.com/pub/gargoyle-(.*)\.tar\.gz debian uupdate - -# Uncomment to find new files on sourceforge, for devscripts >= 2.9 -# http://sf.net/gargoyle/gargoyle-(.*)\.tar\.gz - -# Uncomment to find new files on GooglePages -# http://example.googlepages.com/foo.html gargoyle-(.*)\.tar\.gz -- Packaging for Gargoyle - graphical player for Interactive Fiction games _______________________________________________ Pkg-games-commits mailing list Pkg-games-commits@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-games-commits