Re: gosa update for s-p-u (highly relevant for the Debian Edu blend)

Tue, 03 Jul 2012 09:37:23 -0700 

Mike Gabriel <[email protected]> (03/07/2012):
> The next Debian Edu release 6.0.5+r1 depends on a security fix in
> GOsa² (src:package gosa):
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665950
> 
> A new squeeze compliant version of gosa (2.6.11-3+squeeze2) has now
> been provided by the gosa maintainer.
> 
> May I ask you to review the debdiff output below and give your
> permission for uploading gosa 2.6.11-3+squeeze2 to s-p-u.


> 
> Thanks in advance,
> Mike Gabriel
> 
> 
> diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog
> --- gosa-2.6.11/debian/changelog        2012-02-06 13:43:11.000000000 +0100
> +++ gosa-2.6.11/debian/changelog        2012-07-02 21:56:21.000000000 +0200
> @@ -1,3 +1,9 @@
> +gosa (2.6.11-3+squeeze2) stable; urgency=low
> +
> +  * Backport shellvar escaping code. Closes: #665950.
> +
> + -- Cajus Pollmeier <[email protected]>  Mon, 11 Jun 2012 13:52:18 +0100
> +
>  gosa (2.6.11-3+squeeze1) stable; urgency=low
> 
>    * Fix DHCP host removal. Closes: #650258
> diff -Nru gosa-2.6.11/debian/patches/14_escape.patch
> gosa-2.6.11/debian/patches/14_escape.patch
> --- gosa-2.6.11/debian/patches/14_escape.patch  1970-01-01
> 01:00:00.000000000 +0100
> +++ gosa-2.6.11/debian/patches/14_escape.patch  2012-07-02
> 21:54:37.000000000 +0200

This seems to have been mangled, which doesn't ease the review.

> @@ -0,0 +1,18 @@
> +Description: Allow passwords to contain special chars and still
> work with hook scripts
> +Author: Fabian Hickert <[email protected]>
> +Index: functions.inc
> +===================================================================
> +--- a/gosa-core/include/functions.inc  (revision 21128)
> ++++ b/gosa-core/include/functions.inc  (working copy)
> +@@ -3059,8 +3059,8 @@
> +
> +       if ($command != ""){
> +         /* Walk through attribute list */
> +-        $command= preg_replace("/%userPassword/", $password, $command);
> +-        $command= preg_replace("/%dn/", $dn, $command);
> ++        $command= preg_replace("/%userPassword/",
> escapeshellarg($password), $command);
> ++        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
> +
> +         if (check_command($command)){
> +           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__,
> $command, "Execute");

(this too.)

I see the squeeze source package has a series file, which doesn't get
updated by this debdiff. Maybe I'm missing something obvious, but that
makes me wonder whether you have actually tested the updated package.

Mraw,
KiBi.

Attachment: signature.asc
Description: Digital signature

Reply via email to