Your message dated Sun, 05 May 2019 13:36:12 +0000
with message-id <[email protected]>
and subject line unblock signing-party
has caused the Debian Bug report #928291,
regarding unblock: signing-party/2.10-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928291
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi there,
gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599:
unsafe shell call enabling shell injection via a User ID.
Debdiff between 2.9-1 and 2.10-1 attached. (While the package is not
native we're also upstream.) I replaced the of use of iconv(1) with
Perl's module ‘Encode.pm’ instead; it's a core module so the package
doesn't need any new dependency.
unblock signing-party/2.10-1
Thanks for considering its inclusion to Buster!
Cheers,
--
Guilhem.
diff -Nru signing-party-2.9/debian/changelog signing-party-2.10/debian/changelog
--- signing-party-2.9/debian/changelog 2019-03-01 15:39:40.000000000 +0100
+++ signing-party-2.10/debian/changelog 2019-05-01 12:21:59.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.10-1) unstable; urgency=high
+
+ * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
+ shell injection via a User ID. Use Perl's (core) module Encode.pm instead
+ of shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <[email protected]> Wed, 01 May 2019 12:21:59 +0200
+
signing-party (2.9-1) unstable; urgency=medium
* gpglist:
diff -Nru signing-party-2.9/gpg-key2ps/gpg-key2ps
signing-party-2.10/gpg-key2ps/gpg-key2ps
--- signing-party-2.9/gpg-key2ps/gpg-key2ps 2019-03-01 15:40:38.000000000
+0100
+++ signing-party-2.10/gpg-key2ps/gpg-key2ps 2019-05-01 12:22:19.000000000
+0200
@@ -9,6 +9,7 @@
#
use strict;
+use Encode ();
use Getopt::Long;
my $version = '@@VERSION@@';
@@ -267,7 +268,7 @@
}
# user ids
s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
+ $_ = Encode::encode("latin1", Encode::decode_utf8($_));
s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/
($1) uid/;
# revoked user id
if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/
($1) revuid/) {
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Unblocked signing-party.
--- End Message ---
