Your message dated Sat, 27 Aug 2005 19:47:04 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#325356: fixed in reportbug 3.17
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Aug 2005 23:05:17 +0000
>From [EMAIL PROTECTED] Sat Aug 27 16:05:17 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 66-193-87-113.gen.twtelecom.net (panacea.canonical.org)
[66.193.87.113]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1E99jg-000659-00; Sat, 27 Aug 2005 16:05:16 -0700
Received: by panacea.canonical.org (Postfix, from userid 1017)
id A5A2C3F549; Sat, 27 Aug 2005 19:05:11 -0400 (EDT)
Date: Sat, 27 Aug 2005 19:05:11 -0400
From: Brett Smith <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: reportbug: Can crash on bad package names
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Mailer: reportbug 3.16
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: reportbug
Version: 3.16
Severity: normal
Tags: patch
reportbug does no validation on the package name provided by the user.
While this probably isn't a big deal in most cases, it can lead to a crash,
if the provided string contains / or other characters special to the
filesystem. Here's a traceback I got after trying to submit a bug for a
hypothetical "foo/bar" package:
Traceback (most recent call last):
File "/usr/bin/reportbug", line 1716, in ?
main()
File "/usr/bin/reportbug", line 1648, in main
fh, filename = TempFile(prefix=tfprefix)
File "/usr/share/reportbug/rbtempfile.py", line 73, in TempFile
fh, filename = tempfile.mkstemp(suffix, prefix, dir, text)
File "/usr/lib/python2.3/tempfile.py", line 282, in mkstemp
return _mkstemp_inner(dir, prefix, suffix, flags)
File "/usr/lib/python2.3/tempfile.py", line 216, in _mkstemp_inner
fd = _os.open(file, flags, 0600)
OSError: [Errno 2] No such file or directory:
'/tmp/reportbug-foo/bar-20050827-6363-n_YbGx'
I've attached a patch that checks to make sure the provided package name
complies with the Debian Policy Manual 5.6.7 (see
<http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Package>).
It will display an error message and prompt the user again if they provide
an invalid package name.
-- Package-specific info:
** Environment settings:
EDITOR="/usr/bin/emacsclient -a jmacs"
VISUAL="/usr/bin/emacsclient -a jmacs"
** /home/brett/.reportbugrc:
reportbug_version "2.0"
mode standard
ui text
offline
realname "Brett Smith"
email "[EMAIL PROTECTED]"
mta "/home/brett/bin/sendmail-laptop -odf"
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.3-1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages reportbug depends on:
ii python2.3 2.3.5-7 An interactive high-level object-o
Versions of packages reportbug recommends:
pn python2.3-cjkcodecs | python2 <none> (no description available)
-- no debconf information
--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="reportbug-good-package-name.patch"
--- /usr/bin/reportbug 2005-08-22 01:01:59.000000000 -0500
+++ reportbug 2005-08-27 17:51:56.000000000 -0500
@@ -330,6 +330,13 @@
ewrite("Using package '%s'.\n", package)
return (filename, package)
+def validate_package_name(package):
+ if not re.match(r'^[a-z0-9][a-z0-9\-\+\.]+$', package):
+ ui.long_message("%s is not a valid package name." %
+ (package,))
+ package = None
+ return package
+
def get_other_package_name(others):
return ui.menu("Please enter the name of the package in which you "
"have found a problem, or choose one of these bug "
@@ -352,11 +359,14 @@
if others:
options += others.keys()
- package = ui.get_string(prompt, options, force_prompt=True)
- if not package:
- return
- if others and package and package == 'other':
- package = get_other_package_name(others)
+ package = None
+ while package is None:
+ package = ui.get_string(prompt, options, force_prompt=True)
+ if not package:
+ return
+ if others and package and package == 'other':
+ package = get_other_package_name(others)
+ package = validate_package_name(package)
if mode < MODE_STANDARD:
if package == 'reportbug':
--nFreZHaLTZJo0R7j--
---------------------------------------
Received: (at 325356-close) by bugs.debian.org; 28 Aug 2005 02:48:46 +0000
>From [EMAIL PROTECTED] Sat Aug 27 19:48:46 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1E9DCK-0003L5-00; Sat, 27 Aug 2005 19:47:04 -0700
From: Chris Lawrence <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#325356: fixed in reportbug 3.17
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 27 Aug 2005 19:47:04 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 4
Source: reportbug
Source-Version: 3.17
We believe that the bug you reported is fixed in the latest version of
reportbug, which is due to be installed in the Debian FTP archive:
reportbug_3.17.dsc
to pool/main/r/reportbug/reportbug_3.17.dsc
reportbug_3.17.tar.gz
to pool/main/r/reportbug/reportbug_3.17.tar.gz
reportbug_3.17_all.deb
to pool/main/r/reportbug/reportbug_3.17_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lawrence <[EMAIL PROTECTED]> (supplier of updated reportbug package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 27 Aug 2005 22:38:17 -0400
Source: reportbug
Binary: reportbug
Architecture: source all
Version: 3.17
Distribution: unstable
Urgency: low
Maintainer: Chris Lawrence <[EMAIL PROTECTED]>
Changed-By: Chris Lawrence <[EMAIL PROTECTED]>
Description:
reportbug - reports bugs in the Debian distribution
Closes: 323374 324660 325024 325356
Changes:
reportbug (3.17) unstable; urgency=low
.
* Validate package names. Patch from Brett Smith. (Closes: #325356)
* Update parsing of BTS summary pages to omit "Summary" and "Options"
headers. (Closes: #325024, #324660)
* Add security tag to critical/grave reports with security justifications,
and X-Debbugs-CC security-tagged reports to [EMAIL PROTECTED]
(Closes: #323374)
Files:
7b678b1804f2b17ad8890e04d47a46f2 522 utils standard reportbug_3.17.dsc
51aa69555a1674824fd56e42216de14f 135946 utils standard reportbug_3.17.tar.gz
5c6bdeca4c6c36ebd9cea4b5d3b7e2d4 127096 utils standard reportbug_3.17_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDESRT2wQKE6PXubwRAk8iAJ9BxtbeDBh7XRisfANhQKNtally1wCeLqCx
7vd21jPaKa6XHg1oqnCuNpE=
=KaWQ
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
