Control: tags -1 - moreinfo Hi,
On 26/07/15 02:51, Adam D. Barratt wrote: > Once 1.0.5-2 is in unstable, please prepare a package versioned as > 1.0.5-1+deb8u1, built and tested on stable, and send us a debdiff of > that. 1.0.5-2 is now in unstable. I have prepared an identical package with the version string as specified, and it builds fine with pbuilder targeting stable. The debdiff is attached, and if necessary the package is available here: http://mentors.debian.net/debian/pool/main/p/plowshare4/plowshare4_1.0.5-1+deb8u1.dsc Cheers, Carl
diff -Nru plowshare4-1.0.5/debian/changelog plowshare4-1.0.5/debian/changelog --- plowshare4-1.0.5/debian/changelog 2014-09-04 11:43:49.000000000 +1000 +++ plowshare4-1.0.5/debian/changelog 2015-07-26 16:05:43.000000000 +1000 @@ -1,3 +1,9 @@ +plowshare4 (1.0.5-1+deb8u1) stable; urgency=high + + * Disable javascript support (Closes: #791467) + + -- Carl Suster <[email protected]> Sun, 26 Jul 2015 16:04:26 +1000 + plowshare4 (1.0.5-1) unstable; urgency=medium * New upstream release. diff -Nru plowshare4-1.0.5/debian/control plowshare4-1.0.5/debian/control --- plowshare4-1.0.5/debian/control 2014-09-01 13:24:42.000000000 +1000 +++ plowshare4-1.0.5/debian/control 2015-07-15 11:45:00.000000000 +1000 @@ -10,7 +10,7 @@ Package: plowshare4 Architecture: all -Depends: ${misc:Depends}, bash (>=4.1), curl (>=7.24), recode | libhtml-parser-perl, rhino +Depends: ${misc:Depends}, bash (>=4.1), curl (>=7.24), recode | libhtml-parser-perl Recommends: qiv | feh | sxiv | imagemagick Suggests: aview | caca-utils, fbi Description: Download and upload files from file sharing websites diff -Nru plowshare4-1.0.5/debian/gbp.conf plowshare4-1.0.5/debian/gbp.conf --- plowshare4-1.0.5/debian/gbp.conf 2014-09-01 13:28:38.000000000 +1000 +++ plowshare4-1.0.5/debian/gbp.conf 2015-07-26 14:39:11.000000000 +1000 @@ -3,16 +3,16 @@ upstream-tag = v%(version)s debian-tag = debian/%(version)s upstream-branch = upstream/master -debian-branch = debian/unstable -distribution = unstable +debian-branch = debian/stable +distribution = stable pristine-tar = True pristine-tar-commit = True [buildpackage] sign-tags = True -prebuild = git describe --always --tags --abbrev=0 > debian/git-describe +prebuild = echo "v1.0.5" > debian/git-describe postbuild = lintian $GBP_CHANGES_FILE -dist = sid +dist = stable pbuilder = True [dch] diff -Nru plowshare4-1.0.5/debian/patches/01-disable-javascript.patch plowshare4-1.0.5/debian/patches/01-disable-javascript.patch --- plowshare4-1.0.5/debian/patches/01-disable-javascript.patch 1970-01-01 10:00:00.000000000 +1000 +++ plowshare4-1.0.5/debian/patches/01-disable-javascript.patch 2015-07-15 11:45:00.000000000 +1000 @@ -0,0 +1,56 @@ +Author: Carl Suster <[email protected]> +Bug-Debian: http://bugs.debian.org/791467 +Description: Disable javascript execution + Plowshare uses rhino CLI to execute javascript downloaded from the Internet. + Since this is not filtered or sandboxed at all, the javascript can obtain + arbitrary access to the system and so this patch disables it. + . + Some modules will be broken by this change, but since the modules will break + anyway it is expected that most users will be using a more recent version of + this package, and in future less aggressive fixes will be investigated. + +Index: plowshare/src/core.sh +=================================================================== +--- plowshare.orig/src/core.sh ++++ plowshare/src/core.sh +@@ -1175,34 +1175,22 @@ post_login() { + fi + } + ++# NB: Javascript disabled due to #791467 + # Detect if a JavaScript interpreter is installed + # $? is zero on success + detect_javascript() { +- if ! type -P js >/dev/null 2>&1; then +- log_notice 'Javascript interpreter not found. Please install one!' +- return $ERR_SYSTEM +- fi ++ log_notice 'Use of Javascript interpreter is disabled in debian for security.' ++ return $ERR_SYSTEM + } + ++# NB: Javascript disabled due to #791467 + # Execute javascript code + # + # stdin: js script + # stdout: script result + javascript() { +- local TEMPSCRIPT +- +- detect_javascript || return +- TEMPSCRIPT=$(create_tempfile '.js') || return +- cat > "$TEMPSCRIPT" +- +- log_report "interpreter: $(type -P js)" +- log_report '=== JAVASCRIPT BEGIN ===' +- logcat_report "$TEMPSCRIPT" +- log_report '=== JAVASCRIPT END ===' +- +- command js "$TEMPSCRIPT" +- rm -f "$TEMPSCRIPT" +- return 0 ++ log_notice 'Use of Javascript interpreter is disabled in debian for security.' ++ return $ERR_SYSTEM + } + + # Wait some time diff -Nru plowshare4-1.0.5/debian/patches/series plowshare4-1.0.5/debian/patches/series --- plowshare4-1.0.5/debian/patches/series 1970-01-01 10:00:00.000000000 +1000 +++ plowshare4-1.0.5/debian/patches/series 2015-07-15 14:10:53.000000000 +1000 @@ -0,0 +1 @@ +01-disable-javascript.patch
signature.asc
Description: OpenPGP digital signature
