Dear LTS team,

CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1):

    Unsafe shell call enabling shell injection via a User ID.

See also #928256.  gpg-key2ps(1) is a standalone CLI tool to generate a
PostScript file with OpenPGP key fingerprint slips.  Note that the
Security Team didn't issue a DSA [0], and suggested to instead fix that
via stretch-pu.  Given there is no jessie-pu mechanism, perhaps it would
make sense to issue a DLA?  (Is so, I would appreciate if a LTS team
member could take care of the DLA part.)

Debdiff against signing-party_1.1.10-3.dsc attached.  In the (tested)
fix I replaced the of use of iconv(1) with Perl's ‘Encode.pm’ instead;
it's a core module so the package doesn't need any new dependency.

(Note that the fix didn't make it to Stretch nor Buster yet.  That's
respectively #928292 and #928291.)

Cheers,
-- 
Guilhem.

[0] https://security-tracker.debian.org/tracker/CVE-2019-11627
diff -Nru signing-party-1.1.10/debian/changelog 
signing-party-1.1.10/debian/changelog
--- signing-party-1.1.10/debian/changelog       2014-11-08 02:02:16.000000000 
+0100
+++ signing-party-1.1.10/debian/changelog       2019-05-01 17:39:56.000000000 
+0200
@@ -1,3 +1,11 @@
+signing-party (1.1.10-3+deb8u1) jessie-security; urgency=medium
+
+  * Backport security fix for CVE-2019-11627: unsafe shell call enabling shell
+    injection via a User ID.  Use Perl's (core) module Encode.pm instead of
+    shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guil...@debian.org>  Wed, 01 May 2019 17:39:56 +0200
+
 signing-party (1.1.10-3) unstable; urgency=medium
 
   [ Guilhem Moulin ]
diff -Nru signing-party-1.1.10/debian/control 
signing-party-1.1.10/debian/control
--- signing-party-1.1.10/debian/control 2014-11-08 02:02:16.000000000 +0100
+++ signing-party-1.1.10/debian/control 2019-05-01 17:39:56.000000000 +0200
@@ -1,7 +1,7 @@
 Source: signing-party
 Section: misc
 Priority: extra
-Maintainer: Guilhem Moulin <guil...@guilhem.org>
+Maintainer: Guilhem Moulin <guil...@debian.org>
 Uploaders: Simon Richter <s...@debian.org>,
  Franck Joncourt <fra...@debian.org>
 Build-Depends: debhelper (>= 9), python, autoconf, automake1.11, autotools-dev
diff -Nru signing-party-1.1.10/debian/patches/CVE-2019-11627.diff 
signing-party-1.1.10/debian/patches/CVE-2019-11627.diff
--- signing-party-1.1.10/debian/patches/CVE-2019-11627.diff     1970-01-01 
01:00:00.000000000 +0100
+++ signing-party-1.1.10/debian/patches/CVE-2019-11627.diff     2019-05-01 
17:39:56.000000000 +0200
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guil...@debian.org>
+Date: Tue, 30 Apr 2019 19:49:45 +0200
+Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+
+---
+ gpg-key2ps/gpg-key2ps |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gpg-key2ps/gpg-key2ps
++++ b/gpg-key2ps/gpg-key2ps
+@@ -10,6 +10,7 @@
+ # $Id: gpg-key2ps 707 2014-09-05 09:34:32Z guilhem-guest $
+ 
+ use strict;
++use Encode ();
+ use Getopt::Long;
+ 
+ my $version = '$Rev: 707 $';
+@@ -266,7 +267,7 @@ while(<GPG>) {
+       }
+       # user ids
+       s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
+-      $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
++      $_ = Encode::encode("latin1", Encode::decode_utf8($_));
+       s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/     
($1) uid/;
+       # revoked user id
+       if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ 
($1) revuid/) {
diff -Nru signing-party-1.1.10/debian/patches/series 
signing-party-1.1.10/debian/patches/series
--- signing-party-1.1.10/debian/patches/series  2014-11-08 02:02:16.000000000 
+0100
+++ signing-party-1.1.10/debian/patches/series  2019-05-01 17:39:02.000000000 
+0200
@@ -1,2 +1,3 @@
 gpgwrap_makefile.diff
 bug767371.diff
+CVE-2019-11627.diff

Attachment: signature.asc
Description: PGP signature

Reply via email to