Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 djvulibre (3.5.27.1-3) unstable; urgency=medium
 .
   * use mktemp in shell script if available (closes: #775193)
Author: Barak A. Pearlmutter <bap@debian.org>
Bug-Debian: https://bugs.debian.org/775193

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: https://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- djvulibre-3.5.27.1.orig/desktopfiles/Makefile.am
+++ djvulibre-3.5.27.1/desktopfiles/Makefile.am
@@ -61,7 +61,7 @@ else
 endif
 
 svg_process =\
-cat $< | gzip >$@
+cat $< | gzip -n >$@
 
 svg_verbose = $(svg_verbose_@AM_V@)
 svg_verbose_ = $(svg_verbose_@AM_DEFAULT_V@)
--- djvulibre-3.5.27.1.orig/doc/djvuchanges.txt
+++ djvulibre-3.5.27.1/doc/djvuchanges.txt
@@ -39,6 +39,15 @@ To maximize compatibility with earlier v
 values different from {1,6,2,5} should be ignored
 and interpreted as 1 : rightside up orientation.
 
+1.4- ORDERING OF THE DJBZ AND SJBZ CHUNK
+
+Although the specification does not make it clear, when a FORM:DJVU chunk
+contains a bitonal image represented by a Sjbz chunk that uses a shape
+dictionary represented by a Djbz chunk, the Djbz chunk must appear before the
+Sjbz chunk that references it.  This also holds when the chunks is accessed
+indirectly via INCL chunks. For instance, an INCL chunk that refers to a
+shared Djbz shape dictionary must be placed before the corresponding Sjbz
+chunk.
 
 
 2- ESCAPE SEQUENCES IN ANNOTATION CHUNK STRINGS.
--- djvulibre-3.5.27.1.orig/libdjvu/DjVuDocument.cpp
+++ djvulibre-3.5.27.1/libdjvu/DjVuDocument.cpp
@@ -838,7 +838,12 @@ DjVuDocument::id_to_url(const GUTF8Strin
 	    break;
 	 case OLD_INDEXED:
 	 case SINGLE_PAGE:
-	    return GURL::UTF8(id,init_url.base());
+	    {
+	       GURL url = GURL::UTF8(id,init_url.base());
+	       if (url.fname() == "-")
+	          G_THROW("Illegal include chunk (corrupted file?)");
+	       return url;
+	    }
 	    break;
       }
    return GURL();
--- djvulibre-3.5.27.1.orig/libdjvu/GContainer.h
+++ djvulibre-3.5.27.1/libdjvu/GContainer.h
@@ -848,7 +848,7 @@ GListImpl<TI>::newnode(const TI &elt)
 {
   LNode  *n = (LNode *) operator new (sizeof(LNode ));
 #if GCONTAINER_ZERO_FILL
-  memset(n, 0, sizeof(LNode ));
+  memset((void*)n, 0, sizeof(LNode ));
 #endif
   new ((void*)&(n->val)) TI(elt);
   return (Node*) n;
--- djvulibre-3.5.27.1.orig/libdjvu/GOS.cpp
+++ djvulibre-3.5.27.1/libdjvu/GOS.cpp
@@ -154,13 +154,6 @@ strerror(int errno)
 #endif
 
 
-static const char slash='/';
-static const char percent='%';
-static const char backslash='\\';
-static const char colon=':';
-static const char dot='.';
-static const char nillchar=0;
-
 
 // -----------------------------------------
 // Functions for dealing with filenames
@@ -193,18 +186,18 @@ GOS::basename(const GUTF8String &gfname,
   const char *fname=gfname;
 #if defined(_WIN32) || defined(OS2)
   // Special cases
-  if (fname[1] == colon)
+  if (fname[1] == ':')
   {
     if(!fname[2])
     {
       return gfname;
     }
-    if (!fname[3] && (fname[2]== slash || fname[2]== backslash))
+    if (!fname[3] && (fname[2]== '/' || fname[2]== '\\'))
     {
       char string_buffer[4];
       string_buffer[0] = fname[0];
-      string_buffer[1] = colon;
-      string_buffer[2] = backslash; 
+      string_buffer[1] = ':';
+      string_buffer[2] = '\\';
       string_buffer[3] = 0; 
       return string_buffer;
     }
@@ -219,7 +212,7 @@ GOS::basename(const GUTF8String &gfname,
   // Process suffix
   if (suffix)
   {
-    if (suffix[0]== dot )
+    if (suffix[0]== '.' )
       suffix ++;
     if (suffix[0])
     {
@@ -229,7 +222,7 @@ GOS::basename(const GUTF8String &gfname,
       if (s > fname + sl)
       {
         s = s - (sl + 1);
-        if(*s == dot && (GUTF8String(s+1).downcase() == gsuffix.downcase()))
+        if(*s == '.' && (GUTF8String(s+1).downcase() == gsuffix.downcase()))
         {
           retval.setat((int)((size_t)s-(size_t)fname),0);
         }
@@ -335,7 +328,7 @@ GOS::cwd(const GUTF8String &dirname)
   char drv[2];
   if (dirname.length() && _chdir(dirname.getUTF82Native())==-1)//MBCS cvt
     G_THROW(errmsg());
-  drv[0]= dot ; drv[1]=0;
+  drv[0]= '.' ; drv[1]=0;
   char *string_buffer;
   GPBuffer<char> gstring_buffer(string_buffer,MAXPATHLEN+1);
   char *result = getcwd(string_buffer,MAXPATHLEN);
--- djvulibre-3.5.27.1.orig/libdjvu/GString.cpp
+++ djvulibre-3.5.27.1/libdjvu/GString.cpp
@@ -273,7 +273,9 @@ public:
   ~ChangeLocale();
 private:
   GUTF8String locale;
+#if DO_CHANGELOCALE
   int category;
+#endif
 };
 
 class GStringRep::Native : public GStringRep
@@ -452,7 +454,9 @@ GStringRep::Native::ncopy(
 }
 
 GStringRep::ChangeLocale::ChangeLocale(const int xcategory, const char xlocale[] )
+#if DO_CHANGELOCALE
   : category(xcategory)
+#endif
 {
 #if DO_CHANGELOCALE
   // This is disabled under UNIX because 
--- djvulibre-3.5.27.1.orig/libdjvu/GURL.cpp
+++ djvulibre-3.5.27.1/libdjvu/GURL.cpp
@@ -170,7 +170,6 @@ namespace DJVU {
 
 static const char djvuopts[]="DJVUOPTS";
 static const char localhost[]="file://localhost/";
-static const char backslash='\\';  
 static const char colon=':';
 static const char dot='.';
 static const char filespecslashes[] = "file://";
@@ -179,13 +178,14 @@ static const char slash='/';
 static const char percent='%';
 static const char localhostspec1[] = "//localhost/";
 static const char localhostspec2[] = "///";
-static const char nillchar=0;
 #if defined(UNIX)
   static const char tilde='~';
   static const char root[] = "/";
 #elif defined(_WIN32) || defined(OS2)
   static const char root[] = "\\";
+  static const char backslash='\\';  
 #elif defined(macintosh)
+  static const char nillchar=0;
   static char const * const root = &nillchar; 
 #else
 #error "Define something here for your operating system"
--- djvulibre-3.5.27.1.orig/libdjvu/IW44EncodeCodec.cpp
+++ djvulibre-3.5.27.1/libdjvu/IW44EncodeCodec.cpp
@@ -125,7 +125,7 @@ static const float iw_norm[16] = {
 };
 
 static const int iw_shift  = 6;
-static const int iw_round  = (1<<(iw_shift-1));
+// static const int iw_round  = (1<<(iw_shift-1));
 
 static const struct { int start; int size; }  
 bandbuckets[] = 
--- djvulibre-3.5.27.1.orig/libdjvu/IW44Image.cpp
+++ djvulibre-3.5.27.1/libdjvu/IW44Image.cpp
@@ -125,15 +125,6 @@ static const int iw_quant[16] = {
   0x040000, 0x040000, 0x080000
 };
 
-static const float iw_norm[16] = {
-  2.627989e+03F,
-  1.832893e+02F, 1.832959e+02F, 5.114690e+01F,
-  4.583344e+01F, 4.583462e+01F, 1.279225e+01F,
-  1.149671e+01F, 1.149712e+01F, 3.218888e+00F,
-  2.999281e+00F, 2.999476e+00F, 8.733161e-01F,
-  1.074451e+00F, 1.074511e+00F, 4.289318e-01F
-};
-
 static const int iw_border = 3;
 static const int iw_shift  = 6;
 static const int iw_round  = (1<<(iw_shift-1));
@@ -604,7 +595,7 @@ IW44Image::Map::Map(int w, int h)
 {
   bw = (w+0x20-1) & ~0x1f;
   bh = (h+0x20-1) & ~0x1f;
-  nb = (bw * bh) / (32 * 32);
+  nb = (unsigned int)(bw*bh) / (32 * 32);
   blocks = new IW44Image::Block[nb];
   top = IWALLOCSIZE;
 }
--- djvulibre-3.5.27.1.orig/tools/djvudigital
+++ djvulibre-3.5.27.1/tools/djvudigital
@@ -97,8 +97,14 @@ checkps2utf8()
         if ( "$gsdjvu" 2>&1 -dNODISPLAY -c '(ps2utf8.ps) runlibfile quit' | \
               grep -q WRITESYSTEMDICT )
         then
-            djvutext="/tmp/dj$$.ps"
-            trap "rm 2>/dev/null $djvutext" 0
+	    # For added security, use mktemp if available.
+	    # When using mktemp, do *not* delete the file as that introduces a brief window of vulnerability.
+	    if mktemp --dry-run >/dev/null 2>&1; then
+		djvutext=$(mktemp djXXXXXXXXXX.ps) || exit 1
+	    else
+		djvutext="/tmp/dj$$.ps"
+		trap "rm 2>/dev/null $djvutext" 0
+	    fi
             cat > $djvutext <<\EOF
 (ps2utf8.ps) runlibfile currentglobal /setglobal load true setglobal 
 .ps2utf8 begin /onpage { } bind def /onfont { pop pop pop } bind def
--- djvulibre-3.5.27.1.orig/tools/djvumake.cpp
+++ djvulibre-3.5.27.1/tools/djvumake.cpp
@@ -356,6 +356,8 @@ analyze_jb2_chunk(const GURL &url)
 void
 analyze_incl_chunk(const GURL &url)
 {
+  if (! url.is_file())
+    return;
   GP<ByteStream> gbs = ByteStream::create(url,"rb");
   char buffer[24];
   memset(buffer, 0, sizeof(buffer));
@@ -955,7 +957,7 @@ main(int argc, char **argv)
             }
           else if (!dargv[i].cmp("INCL=",5))
             {
-              create_incl_chunk(iff, "INCL", GURL::Filename::UTF8(5+(const char *)dargv[i]).fname());
+              create_incl_chunk(iff, "INCL", (const char *)GUTF8String(dargv[i].substr(5,-1)));
               flag_contains_incl = 1;
             }
           else if (!dargv[i].cmp("PPM=",4))
