Bug#882197: stretch-pu: package variety/0.6.3-5+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Fri, 2017-11-24 at 10:57 +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2017-11-19 at 21:21 -0800, James Lu wrote:
> > I've prepared an update for Variety to fix some shell injection
> > bugs
> > caused by crafted filenames. These fixes are backported from the
> > 0.6.6 release which is currently in unstable.
> 
> Assuming that the resulting package has been built and tested in a
> stretch environment, please go ahead.

Rather belatedly uploaded; flagged for acceptance.

Regards,

Adam

Bug#882197: stretch-pu: package variety/0.6.3-5+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2017-11-19 at 21:21 -0800, James Lu wrote:
> I've prepared an update for Variety to fix some shell injection bugs
> caused by crafted filenames. These fixes are backported from the
> 0.6.6 release which is currently in unstable.

Assuming that the resulting package has been built and tested in a
stretch environment, please go ahead.

Regards,

Adam

Bug#882197: stretch-pu: package variety/0.6.3-5+deb9u1

[James Lu]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I've prepared an update for Variety to fix some shell injection bugs caused by
crafted filenames. These fixes are backported from the 0.6.6 release which is
currently in unstable.

The debdiff is attached, and the full changelog is below:

variety (0.6.3-5+deb9u1) stretch; urgency=medium

  * Backport various security fixes from Variety 0.6.6:
- Fix shell injection on deleting files to trash, from upstream commit
https://github.com/varietywalls/variety/commit/475a5e076b9c8c7c83176214f84455dc78834723
- Fix shell injection in filter and clock with specially crafted
  filenames; upstream commit
https://github.com/varietywalls/variety/commit/65722237baa996b0ef2389cea693bfeeba62b224
- Harden ImageMagick calls against potential shell injection:
https://github.com/varietywalls/variety/commit/a7c134ecd494bb878c73df9f65cb838dbb57413a

Best,
James

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'testing'), (450, 'unstable'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8),
LANGUAGE=en_CA.utf8 (charmap=UTF-8)
diff -Nru variety-0.6.3/debian/changelog variety-0.6.3/debian/changelog
--- variety-0.6.3/debian/changelog  2017-05-06 16:43:32.0 -0700
+++ variety-0.6.3/debian/changelog  2017-11-14 12:42:11.0 -0800
@@ -1,3 +1,16 @@
+variety (0.6.3-5+deb9u1) stretch; urgency=medium
+
+  * Backport various security fixes from Variety 0.6.6:
+- Fix shell injection on deleting files to trash, from upstream commit
+  
https://github.com/varietywalls/variety/commit/475a5e076b9c8c7c83176214f84455dc78834723
+- Fix shell injection in filter and clock with specially crafted
+  filenames; upstream commit
+  
https://github.com/varietywalls/variety/commit/65722237baa996b0ef2389cea693bfeeba62b224
+- Harden ImageMagick calls against potential shell injection:
+  
https://github.com/varietywalls/variety/commit/a7c134ecd494bb878c73df9f65cb838dbb57413a
+
+ -- James Lu   Tue, 14 Nov 2017 12:42:11 -0800
+
 variety (0.6.3-5) unstable; urgency=medium
 
   * Add fix-autoscroll-high-cpu.patch backported from upstream Bzr revision
diff -Nru 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
--- 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
1969-12-31 16:00:00.0 -0800
+++ 
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
2017-11-14 12:42:11.0 -0800
@@ -0,0 +1,65 @@
+From 475a5e076b9c8c7c83176214f84455dc78834723 Mon Sep 17 00:00:00 2001
+From: James Lu 
+Date: Sun, 10 Sep 2017 10:39:13 -0700
+Subject: [PATCH 1/3] Fix shell injection on deleting to trash via specially
+ crafted filenames
+
+Rewrite this code in subprocess.call (which doesn't spawn a shell by default), 
and explicitly check whether trash programs are installed before running them.
+---
+ variety/VarietyWindow.py | 31 +--
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
+index b99cd1a..c9bb770 100644
+--- a/variety/VarietyWindow.py
 b/variety/VarietyWindow.py
+@@ -43,6 +43,10 @@ import urlparse
+ import webbrowser
+ from PIL import Image as PILImage
+ 
++# Replacement for shutil.which, which (no pun intended) only exists on Python 
3.3+
++# unless we want another 3rd party dependency.
++from distutils.spawn import find_executable
++
+ random.seed()
+ logger = logging.getLogger('variety')
+ 
+@@ -1721,14 +1725,29 @@ class VarietyWindow(Gtk.Window):
+ def _go():
+ self.smart.report_file(file, 'trash', async=False)
+ 
+-command = 'gvfs-trash "%s" || trash-put "%s" || kfmclient 
move "%s" trash:/' % (file, file, file)
+-logger.info(lambda: "Running trash command %s" % command)
+-result = os.system(command.encode('utf8'))
+-if result != 0:
+-logger.error(lambda: "Trash resulted in error code 
%d" % result)
++command = ''
++if find_executable('gvfs-trash'):
++command = ['gvfs-trash', file.encode('utf-8')]
++elif find_executable('trash-put'):
++command = ['trash-put', file.encode('utf-8')]
++elif find_executable('kfmclient'):
++command