Bug#901814: marked as done (stretch-pu: package monkeysign/2.2.3)

Debian Bug Tracking System Sat, 16 Feb 2019 03:41:09 -0800

Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #871937,
regarding stretch-pu: package monkeysign/2.2.3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871937: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871937
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

Monkeysign has a minor security issue and two critical bugs
(unreported but still quite important) that affect all versions after
jessie.

The 2.2.4 upload performed on unstable today fixes all of those, but I
figured it was also important to backport those changes into an
upcoming stretch release. Considering the security issue is minor and
that it is also fixed by the recent GnuPG updates for CVE-2018-12020,
a security upload does not seem appropriate.

The attached patch is the debdiff for the last upload in unstable,
which I think should be applied verbatim to stable as well. It fixes a
crash in the API when manipulating GPG options (the "false" bit),
CVE-2018-12020, fixes the test suite so it passes again, and properly
sends email when all UIDs are signed.

I can provide more details or open release-critical bugs for all of
the above if you believe it is necessary.

A.

-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru monkeysign-2.2.3/CHANGELOG monkeysign-2.2.4/CHANGELOG
--- monkeysign-2.2.3/CHANGELOG  2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/CHANGELOG  2018-06-18 12:18:46.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+  [ Tobias Rueetschi ]
+  * false isn't defined, that must be False
+
+  [ Antoine Beaupré ]
+  * actually send multiple emails instead of a single one
+  * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anar...@debian.org>  Mon, 18 Jun 2018 12:18:46 -0400
+
 monkeysign (2.2.3) unstable; urgency=medium
 
   [ Simon Fondrie-Teitler ]
diff -Nru monkeysign-2.2.3/debian/changelog monkeysign-2.2.4/debian/changelog
--- monkeysign-2.2.3/debian/changelog   2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/debian/changelog   2018-06-18 12:18:46.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+  [ Tobias Rueetschi ]
+  * false isn't defined, that must be False
+
+  [ Antoine Beaupré ]
+  * actually send multiple emails instead of a single one
+  * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anar...@debian.org>  Mon, 18 Jun 2018 12:18:46 -0400
+
 monkeysign (2.2.3) unstable; urgency=medium
 
   [ Simon Fondrie-Teitler ]
diff -Nru monkeysign-2.2.3/monkeysign/gpg.py monkeysign-2.2.4/monkeysign/gpg.py
--- monkeysign-2.2.3/monkeysign/gpg.py  2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/gpg.py  2018-06-18 12:18:46.000000000 -0400
@@ -102,6 +102,7 @@
                 'with-colons': None,
                 'with-fingerprint': None,
                 'fixed-list-mode': None,
+                'no-verbose': None,
                 'list-options': 
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
                 }
 
@@ -126,7 +127,7 @@
         if option in self.options:
             del self.options[option]
         else:
-            return false
+            return False
 
     def build_command(self, command):
         """internal helper to build a proper gpg commandline
diff -Nru monkeysign-2.2.3/monkeysign/tests/test_gpg.py 
monkeysign-2.2.4/monkeysign/tests/test_gpg.py
--- monkeysign-2.2.3/monkeysign/tests/test_gpg.py       2017-01-24 
15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/tests/test_gpg.py       2018-06-18 
12:18:46.000000000 -0400
@@ -42,7 +42,7 @@
     options = Context.options
 
     # ... and this is the rendered version of the above
-    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', 
'--list-options', 
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
 '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', 
'--status-fd', '2', '--quiet' ]
+    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', 
'--list-options', 
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
 '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', 
'--status-fd', '2', '--quiet', '--no-verbose' ]
 
     def setUp(self):
         self.gpg = Context()
diff -Nru monkeysign-2.2.3/monkeysign/tests/test_network.py 
monkeysign-2.2.4/monkeysign/tests/test_network.py
--- monkeysign-2.2.3/monkeysign/tests/test_network.py   2017-01-24 
15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/tests/test_network.py   2018-06-18 
12:18:46.000000000 -0400
@@ -29,7 +29,7 @@
 sys.path.insert(0, os.path.dirname(__file__) + '/../..')
 
 from monkeysign.gpg import TempKeyring
-from test_lib import TestTimeLimit, AlarmException, find_test_file, 
skipUnlessNetwork
+from test_lib import TestTimeLimit, AlarmException, find_test_file, 
skipUnlessNetwork, skipIfDatePassed
 
 
 @skipUnlessNetwork()
@@ -52,6 +52,7 @@
         except AlarmException:
             raise unittest.case._ExpectedFailure(sys.exc_info())
 
+    @skipIfDatePassed('2017-02-25T00:00:00UTC')
     def test_special_key(self):
         """test a key that sign_key had trouble with"""
         
self.assertTrue(self.gpg.import_data(open(find_test_file('96F47C6A.asc')).read()))
diff -Nru monkeysign-2.2.3/monkeysign/ui.py monkeysign-2.2.4/monkeysign/ui.py
--- monkeysign-2.2.3/monkeysign/ui.py   2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/ui.py   2018-06-18 12:18:46.000000000 -0400
@@ -612,7 +612,7 @@
 
         if len(self.signed_keys) < 1:
             self.warn(_('no key signed, nothing to export'))
-        
+        ret = True
         for fpr, key in self.signed_keys.items():
             if self.chosen_uid is None:
                 for uid in key.uids.values():
@@ -621,14 +621,15 @@
                     except GpgRuntimeError as e:
                         self.warn(_('failed to create email: %s') % e)
                         break
-                    return self.sendmail(msg)
+                    ret = ret and self.sendmail(msg)
             else:
                 try:
                     msg = EmailFactory(self.tmpkeyring.export_data(fpr), fpr, 
self.chosen_uid, from_user, self.options.to)
                 except GpgRuntimeError as e:
                     self.warn(_('failed to create email: %s') % e)
                     break
-                return self.sendmail(msg)
+                ret = self.sendmail(msg)
+        return ret
 
     def sendmail(self, msg):
             """actually send the email
diff -Nru monkeysign-2.2.3/monkeysign/_version.py 
monkeysign-2.2.4/monkeysign/_version.py
--- monkeysign-2.2.3/monkeysign/_version.py     2017-01-24 15:40:35.000000000 
-0500
+++ monkeysign-2.2.4/monkeysign/_version.py     2018-06-18 12:18:46.000000000 
-0400
@@ -1,4 +1,4 @@
 # coding: utf-8
 # file generated by setuptools_scm
 # don't change, don't track in version control
-version = '2.2.3'
+version = '2.2.4'

--- End Message ---

--- Begin Message ---

Version: 9.8

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---

Bug#901814: marked as done (stretch-pu: package monkeysign/2.2.3)

Reply via email to