Hello community, here is the log from the commit of package signing-party for openSUSE:Factory checked in at 2019-05-03 22:47:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/signing-party (Old) and /work/SRC/openSUSE:Factory/.signing-party.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "signing-party" Fri May 3 22:47:45 2019 rev:4 rq:700370 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/signing-party/signing-party.changes 2019-03-26 15:43:41.936200120 +0100 +++ /work/SRC/openSUSE:Factory/.signing-party.new.5148/signing-party.changes 2019-05-03 22:47:47.119956374 +0200 @@ -1,0 +2,6 @@ +Fri May 3 11:46:01 UTC 2019 - Sebastian Wagner <sebix+novell....@sebix.at> + +- Add patch cve-2019-11627.patch from https://salsa.debian.org/signing-party-team/signing-party/commit/cd69b6c0426a6160ef3de03fce9c7f112166d5a8 + to fix CVE-2019-11627. + +------------------------------------------------------------------- New: ---- cve-2019-11627.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ signing-party.spec ++++++ --- /var/tmp/diff_new_pack.PUZ5IO/_old 2019-05-03 22:47:47.699957706 +0200 +++ /var/tmp/diff_new_pack.PUZ5IO/_new 2019-05-03 22:47:47.707957724 +0200 @@ -26,6 +26,8 @@ Source: http://ftp.debian.org/debian/pool/main/s/signing-party/signing-party_%{version}.orig.tar.gz#/%{name}-%{version}.tar.gz # PATCH-FIX-OPENSUSE caff-manpage.patch [bnc#722626] Patch1: caff-manpage.patch +# PATCH-FIX-UPSTREAM cve-2019-11627.patch boo#1134040 +Patch2: cve-2019-11627.patch Requires: %{_sbindir}/sendmail Requires: gpg Requires: perl @@ -83,6 +85,7 @@ %prep %setup -q -n signing-party-%{version} %patch1 -p1 +%patch2 -p1 %build %if 0%{?suse_version} > 1320 ++++++ cve-2019-11627.patch ++++++ >From cd69b6c0426a6160ef3de03fce9c7f112166d5a8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin <guil...@debian.org> Date: Tue, 30 Apr 2019 19:49:45 +0200 Subject: [PATCH] gpg-key2ps: Fix shell injection vulnerability in UIDs rendering. --- debian/changelog | 7 +++++++ gpg-key2ps/gpg-key2ps | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 7b071b7..26a665b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +signing-party (2.10-1) UNRELEASED; urgency=high + + * gpg-key2ps: Fix shell injection vulnerability in UIDs rendering. + (Closes: #928256.) + + -- Guilhem Moulin <guil...@debian.org> Tue, 30 Apr 2019 19:47:04 +0200 + signing-party (2.9-1) unstable; urgency=medium * gpglist: diff --git a/gpg-key2ps/gpg-key2ps b/gpg-key2ps/gpg-key2ps index 4d76fb4..1a67e04 100755 --- a/gpg-key2ps/gpg-key2ps +++ b/gpg-key2ps/gpg-key2ps @@ -9,6 +9,7 @@ # use strict; +use Encode (); use Getopt::Long; my $version = '@@VERSION@@'; @@ -267,7 +268,7 @@ while(<GPG>) { } # user ids s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; - $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; + $_ = Encode::encode("latin1", Encode::decode_utf8($_)); s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; # revoked user id if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) { -- 2.20.1
