Your message dated Sun, 18 Sep 2016 10:37:30 +0000 with message-id <e1blztw-0001og...@franck.debian.org> and subject line Bug#821016: fixed in apt-file 3.1 has caused the Debian Bug report #821016, regarding apt-file: can't search for something starting with a dash (such as -pkg-config) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 821016: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821016 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: apt-file Version: 3.0 Severity: normal Usertags: argument-injection Tags: security apt-file can't search for something starting with a dash (like -foo). The reason appears to be that it passes arguments to grep without escaping them with -- so grep doesn't interpret them as options. There is a famous article that I can't find now where one can cause arbitrary code execution if one can cause arbitrary argument injection to common commands like tar. Not sure if this case is exploitable but I'm tagging this security just in case. pabs@chianamo ~ $ apt-file search -pkg-config Unknown option: p Unknown option: k Unknown option: g ... pabs@chianamo ~ $ apt-file search -- -pkg-config grep: invalid option -- 'p' Usage: grep [OPTION]... PATTERN [FILE]... Try 'grep --help' for more information. xargs: /usr/lib/apt/apt-helper: terminated by signal 13 Command xargs -0r /usr/lib/apt/apt-helper -c /etc/apt/apt-file.conf cat-file exited with code 125 at /usr/bin/apt-file line 234. A subprocess exited uncleanly (raw: 32000) - result may be incomplete at /usr/bin/apt-file line 276. -- System Information: Debian Release: stretch/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (860, 'testing-proposed-updates'), (850, 'buildd-testing-proposed-updates'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-file depends on: ii apt 1.2.10 ii libapt-pkg-perl 0.1.29+b5 ii liblist-moreutils-perl 0.413-1+b1 ii libregexp-assemble-perl 0.36-1 ii perl 5.22.1-9 apt-file recommends no packages. apt-file suggests no packages. -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: apt-file Source-Version: 3.1 We believe that the bug you reported is fixed in the latest version of apt-file, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 821...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Niels Thykier <ni...@thykier.net> (supplier of updated apt-file package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 18 Sep 2016 09:59:50 +0000 Source: apt-file Binary: apt-file Architecture: source Version: 3.1 Distribution: unstable Urgency: medium Maintainer: APT Development Team <de...@lists.debian.org> Changed-By: Niels Thykier <ni...@thykier.net> Description: apt-file - search for files within Debian packages (command-line interface) Closes: 820560 821016 825293 825883 832131 Changes: apt-file (3.1) unstable; urgency=medium . * Move apt-file under the APT packaging team. * apt-file: Fix bug in handling patterns starting with "-". Thanks to Paul Wise for reporting the issue. (Closes: #821016) * apt-file: Fix bug where package listing did not work if the Contents files did not include sections. Thanks to "Unit 193" for the report. (Closes: #820560) * apt-file-2-update.sh: Correct path to the "partial" directory. Thanks to Ritesh Raj Sarraf for the report. (Closes: #832131) * apt-file, 50apt-file.conf: Support fetching of Contents files in legacy locations (as used by Ubuntu) by default. This requires apt 1.3. * apt-file: Support setting a default value for -I/--index-names in the apt config file. Thanks to Cyril Brulebois for the suggestion (part of #825293) * apt-file: Accept "ALL" as a special index name for -I. When given, apt-file will search all of its indices. Thanks to Cyril Brulebois for the suggestion (part of #825293). * debian/NEWS: Clarify that the indices for source packages and udebs are disabled in the apt-file 2 -> 3 transition. These must be manually reabled. Thanks to Cyril Brulebois for the report. (Closes: #825293) * apt-file: Exit with an error if a subprocess exits non-zero (except for grep) or is killed by a signal. Thanks to Paul Wise for the suggestion. (Closes: #825883) * Set debhelper compat to "beta-tester" and bump the minimum requirements for debhelper to 10. * Bump Standards-Versions to 3.9.8 - no changes required. Checksums-Sha1: 798450f4eb765d8bda5c815d47d318e52745abee 1730 apt-file_3.1.dsc 691649837bef2f9d6b1d590a5434da29f58d510e 42032 apt-file_3.1.tar.xz Checksums-Sha256: 2ddacc683200a4cbfcde224094fa1e8c5a80763587a16919503607cf78c38aaf 1730 apt-file_3.1.dsc 0784cc7be70b2742d02af0d3c193e76c649e6842865fbd94209a79ce06cd0574 42032 apt-file_3.1.tar.xz Files: 2d17f7b65a1bce3a595554de9855add6 1730 admin optional apt-file_3.1.dsc 4bb93d00cbd53ca96117262dc6ece996 42032 admin optional apt-file_3.1.tar.xz -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJX3mYkAAoJEAVLu599gGRCnHoP/0XI20uCNI0sZ+lpIsvmxwzK 90EI5Z3P2b0XgKLaQpfD4jXgX6p30j3KklJXApIC8safRDyLN64uYgYQj65Ichfw ZLKwUE9E9hPiN7O+YYczR2rloT4n14yh6nUzBTpRf56pyRX4yCwhnnLBwXGmYY9L Pva3fOwhP+01LoGW2eu4OZWL9He6oysk6naOTmZfhQl1Yi9lpOxymp60Gp3xipBY BhYl/nbrjYaQbrSirt4XDgaIOATTPyuKENCRrASKXqsut3eRAJblZyOJcST4IYTi Vsc6pgVO2H4z4NKcBQfTogI+hPT8NaQ/0XquHeEEocnsyoiVwgplffKcblC/b1CL ScKHnAJOlckcmbgCW1wBX69ytwJDoO1eOt4zQlvsn2jcIFGVdgrL95ppujmENngo qXej6xNvWPHuwfW5mu83qAg5rjwhdoJDbFevVALMBzdcb4skTSEwEJFtOp9jvE6m QRobaPmnjMvOhy4O1tM/or0yTdl6bXdkCyq1SEiPwqWOhqGHfmpq2IztnoEL9uY3 g20AUqS11dNp3EMaDAnHhRq5a4e8ALpbvTKRkal6sB4CKn3rWtCkClxuJb00tIHG g9f88MzXRdyGU8j43JG60qnR7KDFA7HECyLOKj333RlYP3m1kFFznnoUnPcsWLjI Tq2Zrojjyp3Dgh3/kb6W =CjiW -----END PGP SIGNATURE-----
--- End Message ---