Your message dated Thu, 10 Nov 2016 22:05:21 +0000 with message-id <[email protected]> and subject line Bug#827445: fixed in python3-proselint 0.7.0-1 has caused the Debian Bug report #827445, regarding python3-proselint: Remove `shell=True` as they are a security hazard to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 827445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827445 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python3-proselint Version: 0.5.3-2 Severity: serious Tags: security Justification: This a migration blocker bug, as this issue is already fixed in upstream's unreleased master. As said on Python's subprocess docs, using shell=True can be a security hazard[1], as they open the door to shell code injection. `shell=True` could for example be removed from: out = subprocess.check_output("proselint --version", shell=True) subprocess.call("proselint --debug >/dev/null", shell=True) These other examples are possibly vulnerable to shell code injection: out = subprocess.check_output("proselint {}".format(fullpath), shell=True) subprocess.call("{} {}".format("open", fullpath), shell=True) subprocess.call("proselint {} >/dev/null".format(filepath), shell=True) These other examples could maybe use python equivalents instead?: subprocess.call("find . -name '*.pyc' -delete", shell=True) subprocess.call("rm -rfv proselint/cache > /dev/null && mkdir -p {}".format(os.path.join(os.path.expanduser("~"), ".proselint")), shell=True) See also upstream's bug tracker [2]. [1]: https://docs.python.org/2/library/subprocess.html#frequently-used- arguments [2]: https://github.com/amperser/proselint/issues/395 -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python3-proselint depends on: ii python3-click 6.6-1 ii python3-future 0.15.2-2 ii python3-six 1.10.0-3 pn python3:any <none> python3-proselint recommends no packages. python3-proselint suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: python3-proselint Source-Version: 0.7.0-1 We believe that the bug you reported is fixed in the latest version of python3-proselint, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Víctor Cuadrado Juan <[email protected]> (supplier of updated python3-proselint package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 10 Nov 2016 22:18:39 +0100 Source: python3-proselint Binary: python3-proselint Architecture: source Version: 0.7.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <[email protected]> Changed-By: Víctor Cuadrado Juan <[email protected]> Description: python3-proselint - Library and command-line prose linter utility (Python 3) Closes: 827445 Changes: python3-proselint (0.7.0-1) unstable; urgency=medium . [ Víctor Cuadrado Juan ] * New Upstream release - Remove `shell=True` as they are a security hazard (Closes: #827445) * Drop 0002-Make-proselint-work-on-read-only-files.patch as it has been upstreamed * Update d/proselint.1 manpage for v0.7.0 * Add TODO.Debian * Run `wrap-and-sort -ast` . [ Mattia Rizzolo ] * Add git-dpm tag config * Bump debhelper compat level to 10 Checksums-Sha1: dbd0015e70cad287def68d901d92eed191e4485b 2130 python3-proselint_0.7.0-1.dsc 3c504317f55255690c0f1bb78b6e07391c7e9452 78585 python3-proselint_0.7.0.orig.tar.gz 9da92e094df2feca0a4d9357ba4fe95b5b3e21c5 3724 python3-proselint_0.7.0-1.debian.tar.xz Checksums-Sha256: e46b184b871e8271c4a4099f0abb051f632651d0827ade808d6e586dff810a44 2130 python3-proselint_0.7.0-1.dsc 094d808d44bf1a60dcb1465749be5cc44f4f6c146c04bc5f28976a833786e830 78585 python3-proselint_0.7.0.orig.tar.gz d0a4af02130c172e94652df776945c43788b1dd961c59ece1e465e981f39a537 3724 python3-proselint_0.7.0-1.debian.tar.xz Files: cad3375ed3151311334f43bd5703bfd8 2130 text optional python3-proselint_0.7.0-1.dsc d6e77707e0ba4d7c240998571a23032a 78585 text optional python3-proselint_0.7.0.orig.tar.gz 23600e6ac76a6307c5b601eb1b331971 3724 text optional python3-proselint_0.7.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYJOq3AAoJEDVzElWdHgZL950P/2qXhYT0EW1ReMgvZ9fDSlHU HZ1jUmJs8A3Zh22eBwJR+/01eBMP2NKT8HKrROr0OLUt68SeHmbHuagJlzHWo14Z Fihbdg41UN58cAAIfg2qyQxfOPKuCNzayayHg5KrbhPLkvfsDjMHETWl8qQxO9bs FD8NL6BepZGXdaXAstDKaRs8AtGImktW0CmepWbGutn4CXQPmua6V154vHwYSLRA HHqYbD36zxBxBKK0YMSZD8+7SRwFGBHJMWtIK4rrNmrnf/kqTx4ihQxUxwEeSk0Q kb39XAWe9XCWa+ya4sH3y228f6jcfhL0vk10DwuFNQx5WUXWkXna2KKw2hZuRMc3 mwbkbelvA53ZAFl2CO5JiZ6AjUNbVnN6NKdXocIbtNaFZkchqjt6+FrHY/zvylev CfFnxJlFxnLGQVKI2pFClAWjiVmauXYWmIvhuZg208FBLZN12WV1ETg9/AhbALwr PMYnjJUmGHuKpclUBmsvITHbyABf2ExzxApSZzClKMNDgt+hOD+1z3POjZzE+sJ/ X42qUCihvmKjS4rNouds6NJQjMUxabcHNaV94RWeHrVzRMNWTG7Baq30ntdUvWtm 2CD08oXBEOuta5k0hIqGf7DHdbc2WiYtTGH/BXmhuRqxV3TLpc6aAKwObZa5MBnE dM3QwLQB4gwr2KsyojHF =CPC0 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
