Hi -lts, Sending this for a quick review for a bunch of reasons, not least of all because this didn't get a CVE and thus has fewer eyeballs on it.
(https://bugs.debian.org/1089015 is the bug in question.) — Chris diff --git debian/changelog debian/changelog index 6bf4d90..44e5088 100644 --- debian/changelog +++ debian/changelog @@ -1,3 +1,13 @@ +ucf (3.0043+deb11u1) bullseye-security; urgency=high + + * Non-maintainer by the Debian LTS team. + * Prevent a potential command-injection vulnerability by initialising a + variable that is passed, unfiltered, to the "eval" shell function. + (Closes: #1089015) + * Add a debian/salsa-ci.yml. + + -- Chris Lamb <[email protected]> Thu, 16 Jan 2025 16:53:58 +0000 + ucf (3.0043) unstable; urgency=high * The argument to dpkg-divert needs to be the actual file name, not the diff --git debian/salsa-ci.yml debian/salsa-ci.yml new file mode 100644 index 0000000..b2fd032 --- /dev/null +++ debian/salsa-ci.yml @@ -0,0 +1,2 @@ +include: + - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml diff --git ucf ucf index 7efdf1c..ceb33f6 100755 --- ucf +++ ucf @@ -342,6 +342,7 @@ NEW_SUFFIX="ucf-new" OLD_SUFFIX="ucf-old" ERR_SUFFIX="merge-error" # save up the cmdline with proper quoting/escaping +saved= for arg in "$@"; do saved="${saved:+$saved }'$(quote_single "$arg")'" done -- ,''`. : :' : Chris Lamb `. `'` [email protected] 🍥 chris-lamb.co.uk `-
