Your message dated Tue, 30 Oct 2018 14:50:45 +0000 with message-id <e1ghvlx-000dqf...@fasolo.debian.org> and subject line Bug#496448: fixed in libui-dialog-perl 1.21-0.1 has caused the Debian Bug report #496448, regarding libui-dialog-perl: Dialog backend allows execution of arbitrary shell commands (CVE-2008-7315) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 496448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496448 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libui-dialog-perl Version: 1.08-1.1 Severity: important Hi UI::Dialog Perl module with the "dialog" backend does not properly escape shell metacharacters in strings passed to it. This bug is a potential security risk if these strings come from untrusted sources since it allows execution of arbitrary shell commands. The following program demostrates this problem: use UI::Dialog; my $d = new UI::Dialog( order => ['dialog']); $d->menu( list => [ "", '`echo "Hello" > test`' ]) Best regards Tomaz Solc -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (600, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.25 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libui-dialog-perl depends on: ii perl 5.10.0-11 Larry Wall's Practical Extraction libui-dialog-perl recommends no packages. libui-dialog-perl suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libui-dialog-perl Source-Version: 1.21-0.1 We believe that the bug you reported is fixed in the latest version of libui-dialog-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 496...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reiner Herrmann <rei...@reiner-h.de> (supplier of updated libui-dialog-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 27 Oct 2018 16:46:44 +0200 Source: libui-dialog-perl Binary: libui-dialog-perl Architecture: source Version: 1.21-0.1 Distribution: unstable Urgency: medium Maintainer: Alejandro Garrido Mota <alejan...@debian.org> Changed-By: Reiner Herrmann <rei...@reiner-h.de> Description: libui-dialog-perl - UI::Dialog a wrapper for various dialog applications Closes: 496448 602089 Changes: libui-dialog-perl (1.21-0.1) unstable; urgency=medium . * Non-maintainer upload. * New upstream release. - Fixes CVE-2008-7315 (Closes: #496448) - Fixes version detection of newer dialog versions (Closes: #602089) * Drop FixPod2manErrors.diff and FixSpellingAndManDescription.diff (applied upstream). * New (build-)dependencies: libfile-slurp-perl, libstring-shellquote-perl Checksums-Sha1: c09c240ceffadd4f161d1e164317f4b7892fe2ea 1982 libui-dialog-perl_1.21-0.1.dsc d01c8e54b0a2a7285f931fec9135ada8ed2cf7e7 97110 libui-dialog-perl_1.21.orig.tar.gz 08704a3d0d6eb02eeddf6bc3408cba2ea854429d 1992 libui-dialog-perl_1.21-0.1.debian.tar.xz 2141f67e59eb865ff3f320ce7fb828e3965ae9c8 5384 libui-dialog-perl_1.21-0.1_powerpc.buildinfo Checksums-Sha256: b21d1869be4765cc7c26160a9928001dd8df5bdc15400c18bd8ca7827201a3ca 1982 libui-dialog-perl_1.21-0.1.dsc 5eff18e753b6ee5d692918782f6816daf55d122faeb9ae6103e4510dd06f752a 97110 libui-dialog-perl_1.21.orig.tar.gz 62d8dc2e359f59b94663ffc5a879e96d0da9f95d6fc2cd9f64db866c6abc2dc7 1992 libui-dialog-perl_1.21-0.1.debian.tar.xz 4402f1514d223a4dd10cabf8feda82a96e282b556076e9f464868a969fa6301e 5384 libui-dialog-perl_1.21-0.1_powerpc.buildinfo Files: fd5a11c85fb3f7d3a78b073f90a2e5a9 1982 perl extra libui-dialog-perl_1.21-0.1.dsc 886c23e447559879bee37aa16a4b1316 97110 perl extra libui-dialog-perl_1.21.orig.tar.gz c76a1dc79e19afd7d2f381d4d1cf7a05 1992 perl extra libui-dialog-perl_1.21-0.1.debian.tar.xz bce8cdadb0067d970792f6bbbeb38b46 5384 perl extra libui-dialog-perl_1.21-0.1_powerpc.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlvVquEACgkQxCxY61kU kv0I/w/+Mwck6ltsAnUCLwrfiluhsO5Y/7ANRvMZpWt+sLoY1EuJfv3/pqERTbZw 7xoEipUNVnn2Pvuwi7RE1OFUnqe21keQJthRtPishRUGHBluBUh9odZYq3d9IQKe c1izyvMmpHvPXJ9s3IwVFwxwGBKGs7zwaG4iYuchbOckqn+oc8ehno4X+cU/EazV BaC9nzcDujsuo5AC9a92gDtqFCAAnruuvNsvmUyz6QwKi2DiPfUjtH4IO9T8sibS C3q57fBYCt9XquLlfu2PMWxVes3LCTh/P6Q2nodzX5yb0wAKhZ7GaWu0clBfyxUa BE4OEc1xd5WV5E/QBfzRHkvVblmerD1+IlDuAJL8II2sWilWHvxUUWgz/qJ4eWmC DBgwX4gkWYe63gpjT2FDBDRRA8FN7Z9HTwdY8iTXanqCT5u9VFQtjGl51AfIjfqT GrEyCHpXboE2Bp8+6A/daix0yhmJDFpKGA0/RugbcIwQvG38dkZbbnd427Znoe6z W3q/ynccBx3A74+FOd8ITdTpYpvOZ0tRaq7A/wQFOx4+DKmaCHG8ai+LTbVCSgIP w0OQoGljkgRhAjjQZq65W8lcxXwTaY5ckbDSd40V6uj8kguqUtwTLoFOvy6isDbi 2bla+JD97pn98Dj3pTOAIF4C1XbYKTZFn9TKld6bqCvt8T4yyKA= =BiTh -----END PGP SIGNATURE-----
--- End Message ---
