Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id
<17351b82f829eb6917f78885cb849c4060b0a4a6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #928292,
regarding stretch-pu: package signing-party/2.5-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928292
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
Hi there,
CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1).
Unsafe shell call enabling shell injection via a User ID.
See also #928256. However the Security Team didn't issue a DSA [0], and
suggested to instead fix that via stretch-pu. I enclosed a debdiff
against signing-party_2.5-1.dsc.
In the fix I replaced the of use of iconv(1) with Perl's module
‘Encode.pm’ instead; it's a core module so the package doesn't need any
new dependency.
Cheers,
--
Guilhem.
[0] https://security-tracker.debian.org/tracker/CVE-2019-11627
diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog
--- signing-party-2.5/debian/changelog 2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/changelog 2019-05-01 12:55:42.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.5-1+deb9u1) stretch; urgency=medium
+
+ * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell
+ injection via a User ID. Use Perl's (core) module Encode.pm instead of
+ shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <[email protected]> Wed, 01 May 2019 12:55:42 +0200
+
signing-party (2.5-1) unstable; urgency=low
* caff:
diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control
--- signing-party-2.5/debian/control 2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/control 2019-05-01 12:55:42.000000000 +0200
@@ -1,7 +1,7 @@
Source: signing-party
Section: misc
Priority: extra
-Maintainer: Guilhem Moulin <[email protected]>
+Maintainer: Guilhem Moulin <[email protected]>
Uploaders: Simon Richter <[email protected]>
Build-Depends: debhelper (>= 9), python, dh-python,
autoconf, automake, autotools-dev,
diff -Nru signing-party-2.5/debian/patches/CVE-2018-15599.diff
signing-party-2.5/debian/patches/CVE-2018-15599.diff
--- signing-party-2.5/debian/patches/CVE-2018-15599.diff 1970-01-01
01:00:00.000000000 +0100
+++ signing-party-2.5/debian/patches/CVE-2018-15599.diff 2019-05-01
12:55:42.000000000 +0200
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <[email protected]>
+Date: Tue, 30 Apr 2019 19:49:45 +0200
+Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+
+---
+ gpg-key2ps/gpg-key2ps | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gpg-key2ps/gpg-key2ps
++++ b/gpg-key2ps/gpg-key2ps
+@@ -10,6 +10,7 @@
+ # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $
+
+ use strict;
++use Encode ();
+ use Getopt::Long;
+
+ my $version = '$Rev: 882 $';
+@@ -269,7 +270,7 @@ while(<GPG>) {
+ }
+ # user ids
+ s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
+- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
++ $_ = Encode::encode("latin1", Encode::decode_utf8($_));
+ s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/
($1) uid/;
+ # revoked user id
+ if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/
($1) revuid/) {
diff -Nru signing-party-2.5/debian/patches/series
signing-party-2.5/debian/patches/series
--- signing-party-2.5/debian/patches/series 2016-10-06 14:59:44.000000000
+0200
+++ signing-party-2.5/debian/patches/series 2019-05-01 12:55:42.000000000
+0200
@@ -1 +1,2 @@
gpgwrap_makefile.diff
+CVE-2018-15599.diff
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 9.10
Hi,
The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).
Regards,
Adam
--- End Message ---
