Re: tomb: RC bug fixed, please review and upload

To: Debian Security Tools Packaging Team <debian-security-tools@lists.debian.org>
Subject: Re: tomb: RC bug fixed, please review and upload
From: Sven Geuer <debmaint@g-e-u-e-r.de>
Date: Wed, 13 Mar 2019 19:45:46 +0100
Message-id: <[🔎] 288f10a6717e09e0ef854e92f6048361700e9a0c.camel@g-e-u-e-r.de>
In-reply-to: <[🔎] 4bbb6cf59bd39888869ddf277228446967fc9eec.camel@g-e-u-e-r.de>
References: <87r2bh2mab.fsf@c6.deuxchevaux.org> <[🔎] 4bbb6cf59bd39888869ddf277228446967fc9eec.camel@g-e-u-e-r.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello Team,

is there still a chance to get this into buster?

Can someone please review and upload the fix?

Sven

On Sunday, 10.03.2019, 12:57 +0100 Sven Geuer wrote:
> Hello Team,
> 
> I fixed bug #924042 in tomb [1]. Please review and upload.
> 
> Cheers,
> Sven 
> 
> [1] https://salsa.debian.org/pkg-security-team/tomb
> 
> On Friday, 08.03.2019, 20:34 +0100 Axel Beckert wrote:
> > Package: tomb
> > Version: 2.5+dfsg1-2
> > Severity: serious
> > 
> > tomb's exhume subcommand calls steghide:
> > 
> > ~ → tomb exhume /tmp/example.jpg
> > tomb [E] Steghide not installed: cannot exhume keys from images.
> > ~ → dgrep steghide tomb
> > /usr/bin/tomb:  _deps=(gettext dcfldd shred steghide)
> > /usr/bin/tomb:  # Check for steghide
> > /usr/bin/tomb:  command -v steghide 1>/dev/null 2>/dev/null ||
> > STEGHIDE=0
> > /usr/bin/tomb:# Requires steghide(1) to be installed
> > /usr/bin/tomb:          | steghide embed --embedfile - --coverfile
> > ${imagefile} \
> > /usr/bin/tomb:          _warning "Encoding error: steghide reports
> > problems."
> > /usr/bin/tomb:          TOMBKEY=$(steghide extract -sf $imagefile
> > -p
> > $tombpass -xf -)
> > /usr/bin/tomb:  steghide extract -sf $imagefile -p ${tombpass} -xf
> > $destkey
> > 
> > But steghide is neither in a Recommends or Suggests header.
> > 
> > And when looking at that grep output above, it becomes clear that
> > there
> > are even more optional dependencies missing. Citing from tomb's
> > source
> > code:
> > 
> > _list_optional_tools() {
> >         typeset -a _deps
> >         _deps=(gettext dcfldd shred steghide)
> >         _deps+=(resize2fs tomb-kdb-pbkdf2 qrencode swish-e unoconv
> > lsof)
> >         for d in $_deps; do
> >                 _print "`which $d`"
> >         done
> >         return 0
> > }
> > 
> > So the following packages are missing in tomb's package relations.
> > I
> > leave the package maintainers to decide, which of them go into
> > Suggests
> > and which into Recommends:
> > 
> > * gettext-base: /usr/bin/gettext
> > * dcfldd: /usr/bin/dcfldd
> > * steghide: /usr/bin/steghide
> > * qrencode: /usr/bin/qrencode
> > * unoconv: /usr/bin/unoconv
> > * lsof: /usr/bin/lsof
> > * swish-e: /usr/bin/swish-e
> > 
> > Will file a separate bug report for the missing tomb-kdb-pbkdf2
> > binary.
> > 
> > -- System Information:
> > Debian Release: buster/sid
> >   APT prefers unstable
> >   APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-
> > debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1,
> > 'experimental-debug'), (1, 'buildd-experimental')
> > Architecture: amd64 (x86_64)
> > 
> > Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
> > Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8),
> > LANGUAGE=C.UTF-8 (charmap=UTF-8)
> > Shell: /bin/sh linked to /bin/dash
> > Init: sysvinit (via /sbin/init)
> > LSM: AppArmor: enabled
> > 
> > Versions of packages tomb depends on:
> > ii  cryptsetup-bin              2:2.1.0-2
> > ii  e2fsprogs                   1.44.6-1
> > ii  gnupg                       2.2.13-1
> > ii  pinentry-curses [pinentry]  1.1.0-1+b1
> > ii  pinentry-fltk [pinentry]    1.1.0-1+b1
> > ii  pinentry-gnome3 [pinentry]  1.1.0-1+b1
> > ii  pinentry-gtk2 [pinentry]    1.1.0-1+b1
> > ii  pinentry-qt [pinentry]      1.1.0-1+b1
> > ii  pinentry-tty [pinentry]     1.1.0-1+b1
> > ii  sudo                        1.8.27-1
> > ii  zsh                         5.7.1-1
> > 
> > tomb recommends no packages.
> > 
> > tomb suggests no packages.
> > 
> > -- no debconf information
> > 
> > 
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAlyJT9oACgkQrfUO2vit
1YVbcw//cXdjsN2+pojZGQphu41iwbx2NMwnKqyexRksYFL/M/DJXQVdv7GUsvG7
4iJXvrIP6MF29u+2DJ78lidr96BPdSC0Kx/IVmBJjVAHpB7qVF7/WQCZ9DKHnmxV
v920cp/gvTIecNHEPJ7/cn9rQOnS+7MZjFhY4/KJ7ONZ07GWq3quVj87F1i3T3N9
OuUKh7dovlGAreNQTxuvJlOLnhA0nV8LoU9vc6tapLAGbxQSoJHRVr/sIJE0xQz2
duns5CMiBAcVJXW7GjXKEMGb+0OhRRRW0pQWnJl7Zrtex9UXhvXoJXkNJ07DFl8a
Kv6vTrn5ssMAfwHCm3eTs037BTv7Jom6/m74cmOtHp0eQMQ7DwJnpAyQOMaypluJ
wvRKhQrvQq7TaSP3zRxHBxaOuOdNoFgC4gQw/xMwph4MgsPBAbSbgLZKQ21qBRbx
4v1fKFFtSQTxmnl6fv26HcSzUvRb/cPH7FsML8iNYMk+JADH+cieZ//9qgTAejki
7QjwlyniyaVZS9988MWlY8JCFelzFvi8D31B0ci/XpGyiHEtRH9Szp094H7mGzzB
OHJ7DPaKF5crNwVPfmSqAnhyWEMFPS7UChSuDbRP7ElV4Fz9AHRfzl5G13S9HtHw
qmEQNXk5x853vcmNyhALtfKR7ntfplNo5YY4b/UeMdWZF3hkvYU=
=FKTr
-----END PGP SIGNATURE-----

Reply to:

References:
- tomb: RC bug fixed, please review and upload
  - From: Sven Geuer <debmaint@g-e-u-e-r.de>

Prev by Date: tomb: RC bug fixed, please review and upload
Next by Date: Re: tomb: RC bug fixed, please review and upload
Previous by thread: tomb: RC bug fixed, please review and upload
Next by thread: Re: tomb: RC bug fixed, please review and upload
Index(es):
- Date
- Thread