Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Dear Release Team,
I've prepared an update for Variety to fix some shell injection bugs caused by
crafted filenames. These fixes are backported from the 0.6.6 release which is
currently in unstable.
The debdiff is attached, and the full changelog is below:
variety (0.6.3-5+deb9u1) stretch; urgency=medium
* Backport various security fixes from Variety 0.6.6:
- Fix shell injection on deleting files to trash, from upstream commit
https://github.com/varietywalls/variety/commit/475a5e076b9c8c7c83176214f84455dc78834723
- Fix shell injection in filter and clock with specially crafted
filenames; upstream commit
https://github.com/varietywalls/variety/commit/65722237baa996b0ef2389cea693bfeeba62b224
- Harden ImageMagick calls against potential shell injection:
https://github.com/varietywalls/variety/commit/a7c134ecd494bb878c73df9f65cb838dbb57413a
Best,
James
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'testing'), (450, 'unstable'), (101, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8),
LANGUAGE=en_CA.utf8 (charmap=UTF-8)
diff -Nru variety-0.6.3/debian/changelog variety-0.6.3/debian/changelog
--- variety-0.6.3/debian/changelog 2017-05-06 16:43:32.0 -0700
+++ variety-0.6.3/debian/changelog 2017-11-14 12:42:11.0 -0800
@@ -1,3 +1,16 @@
+variety (0.6.3-5+deb9u1) stretch; urgency=medium
+
+ * Backport various security fixes from Variety 0.6.6:
+- Fix shell injection on deleting files to trash, from upstream commit
+
https://github.com/varietywalls/variety/commit/475a5e076b9c8c7c83176214f84455dc78834723
+- Fix shell injection in filter and clock with specially crafted
+ filenames; upstream commit
+
https://github.com/varietywalls/variety/commit/65722237baa996b0ef2389cea693bfeeba62b224
+- Harden ImageMagick calls against potential shell injection:
+
https://github.com/varietywalls/variety/commit/a7c134ecd494bb878c73df9f65cb838dbb57413a
+
+ -- James Lu Tue, 14 Nov 2017 12:42:11 -0800
+
variety (0.6.3-5) unstable; urgency=medium
* Add fix-autoscroll-high-cpu.patch backported from upstream Bzr revision
diff -Nru
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
---
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
1969-12-31 16:00:00.0 -0800
+++
variety-0.6.3/debian/patches/0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch
2017-11-14 12:42:11.0 -0800
@@ -0,0 +1,65 @@
+From 475a5e076b9c8c7c83176214f84455dc78834723 Mon Sep 17 00:00:00 2001
+From: James Lu
+Date: Sun, 10 Sep 2017 10:39:13 -0700
+Subject: [PATCH 1/3] Fix shell injection on deleting to trash via specially
+ crafted filenames
+
+Rewrite this code in subprocess.call (which doesn't spawn a shell by default),
and explicitly check whether trash programs are installed before running them.
+---
+ variety/VarietyWindow.py | 31 +--
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
+index b99cd1a..c9bb770 100644
+--- a/variety/VarietyWindow.py
b/variety/VarietyWindow.py
+@@ -43,6 +43,10 @@ import urlparse
+ import webbrowser
+ from PIL import Image as PILImage
+
++# Replacement for shutil.which, which (no pun intended) only exists on Python
3.3+
++# unless we want another 3rd party dependency.
++from distutils.spawn import find_executable
++
+ random.seed()
+ logger = logging.getLogger('variety')
+
+@@ -1721,14 +1725,29 @@ class VarietyWindow(Gtk.Window):
+ def _go():
+ self.smart.report_file(file, 'trash', async=False)
+
+-command = 'gvfs-trash "%s" || trash-put "%s" || kfmclient
move "%s" trash:/' % (file, file, file)
+-logger.info(lambda: "Running trash command %s" % command)
+-result = os.system(command.encode('utf8'))
+-if result != 0:
+-logger.error(lambda: "Trash resulted in error code
%d" % result)
++command = ''
++if find_executable('gvfs-trash'):
++command = ['gvfs-trash', file.encode('utf-8')]
++elif find_executable('trash-put'):
++command = ['trash-put', file.encode('utf-8')]
++elif find_executable('kfmclient'):
++command