Bug#977872: marked as done (ITP: golang-github-cli-safeexec -- safer version of exec.LookPath on Windows)

To: Anthony Fok <foka@debian.org>
Subject: Bug#977872: marked as done (ITP: golang-github-cli-safeexec -- safer version of exec.LookPath on Windows)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 18 Jan 2021 17:03:06 +0000
Message-id: <[🔎] handler.977872.D977872.16109892101303.ackdone@bugs.debian.org>
Reply-to: 977872@bugs.debian.org
References: <E1l1Xsv-0002dp-5S@fasolo.debian.org> <E1krd1s-00093q-O3@debian-e431>

Your message dated Mon, 18 Jan 2021 17:00:09 +0000
with message-id <E1l1Xsv-0002dp-5S@fasolo.debian.org>
and subject line Bug#977872: fixed in golang-github-cli-safeexec 1.0.0-1
has caused the Debian Bug report #977872,
regarding ITP: golang-github-cli-safeexec -- safer version of exec.LookPath on Windows
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
977872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977872
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: ITP: golang-github-cli-safeexec -- safer version of exec.LookPath on Windows
From: "Anthony Fok" <foka@debian.org>
Date: Tue, 22 Dec 2020 01:28:24 -0700
Message-id: <E1krd1s-00093q-O3@debian-e431>

Package: wnpp
Severity: wishlist
Owner: Anthony Fok <foka@debian.org>

* Package name    : golang-github-cli-safeexec
  Version         : 1.0.0-1
  Upstream Author : Mislav Marohnić <mislav@github.com>, GitHub Inc.
* URL             : https://github.com/cli/safeexec
* License         : BSD-2-clause
  Programming Lang: Go
  Description     : safer version of exec.LookPath on Windows

 safeexec is a Go module that provides a safer alternative to exec.LookPath()
 on Windows.
 .
 The following, relatively common approach to running external commands
 has a subtle vulnerability on Windows:
 .
   import "os/exec"
 .
   func gitStatus() error {
       // On Windows, this will result in .\git.exe or .\git.bat being executed
       // if either were found in the current working directory.
       cmd := exec.Command("git", "status") return cmd.Run()
   }
 .
 Searching the current directory (surprising behavior) before searching
 folders listed in the PATH environment variable (expected behavior)
 seems to be intended in Go and unlikely to be changed:
 https://github.com/golang/go/issues/38736
 .
 Since Go does not provide a version of exec.LookPath() that only searches
 PATH and does not search the current working directory, this module provides
 a LookPath function that works consistently across platforms.
 .
 Example use:
 .
   import (
       "os/exec" "github.com/cli/safeexec"
   )
 .
   func gitStatus() error {
       gitBin, err := safeexec.LookPath("git")
       if err != nil {
           return err
       }
       cmd := exec.Command(gitBin, "status")
       return cmd.Run()
   }


Reason for packaging: Needed by hugo 0.79.1 and up

--- End Message ---

--- Begin Message ---

To: 977872-close@bugs.debian.org
Subject: Bug#977872: fixed in golang-github-cli-safeexec 1.0.0-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 18 Jan 2021 17:00:09 +0000
Message-id: <E1l1Xsv-0002dp-5S@fasolo.debian.org>
Reply-to: Anthony Fok <foka@debian.org>

Source: golang-github-cli-safeexec
Source-Version: 1.0.0-1
Done: Anthony Fok <foka@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-github-cli-safeexec, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977872@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anthony Fok <foka@debian.org> (supplier of updated golang-github-cli-safeexec package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 13 Jan 2021 19:47:46 -0700
Source: golang-github-cli-safeexec
Binary: golang-github-cli-safeexec-dev
Architecture: source all
Version: 1.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Anthony Fok <foka@debian.org>
Description:
 golang-github-cli-safeexec-dev - safer version of exec.LookPath on Windows
Closes: 977872
Changes:
 golang-github-cli-safeexec (1.0.0-1) unstable; urgency=medium
 .
   * Initial release (Closes: #977872)
   * Mention lookpath_windows.go with BSD-3-clause-Go license
     in debian/copyright.
     Thanks to Thorsten Alteholz for catching my oversight
Checksums-Sha1:
 4a26843dfa84f2f9b86363fa50867afbb7b6202e 2223 golang-github-cli-safeexec_1.0.0-1.dsc
 0f8a521fe37d56e3d2f370cd6b97111a6425adeb 4143 golang-github-cli-safeexec_1.0.0.orig.tar.gz
 8010ce7dd4965d862916261bcaa61598602f1301 3456 golang-github-cli-safeexec_1.0.0-1.debian.tar.xz
 b45a8038b0364b8897a542ffc07329c68738be0c 5180 golang-github-cli-safeexec-dev_1.0.0-1_all.deb
 ca3b132d3e414794f44686e6bc103cb5069a4cf7 6007 golang-github-cli-safeexec_1.0.0-1_amd64.buildinfo
Checksums-Sha256:
 2eccc53afb15155b7b6227d132b14443a7ac3815f66abe97529381faf0d9a0cf 2223 golang-github-cli-safeexec_1.0.0-1.dsc
 d0c85aece06553c9d7e20cea8b91008ee091087eb4a1fddf311835a0ff6aecdc 4143 golang-github-cli-safeexec_1.0.0.orig.tar.gz
 36b6b4fe42eec982c7dcb97242e0eafca8722077ce42dcc0f5fb389b0afefb4e 3456 golang-github-cli-safeexec_1.0.0-1.debian.tar.xz
 87d2103fae2507ce2735350753f93169e567e058981610d73ac7b5d6cce25cfb 5180 golang-github-cli-safeexec-dev_1.0.0-1_all.deb
 235f81f5d0cefe8f8151dcf9d21a87d7e125285a955133460a1ec4c539a36fd2 6007 golang-github-cli-safeexec_1.0.0-1_amd64.buildinfo
Files:
 297efa82deccc8c97bda558e449aab55 2223 golang optional golang-github-cli-safeexec_1.0.0-1.dsc
 608341cb5dedb1edaf67206b430b0579 4143 golang optional golang-github-cli-safeexec_1.0.0.orig.tar.gz
 b181b4ea0f6ca529068f894e6ab87210 3456 golang optional golang-github-cli-safeexec_1.0.0-1.debian.tar.xz
 6c222bdf280f8d0d1ee6466e18ceb825 5180 golang optional golang-github-cli-safeexec-dev_1.0.0-1_all.deb
 a93c68ac69a1e504a9ab2b2da64d3830 6007 golang optional golang-github-cli-safeexec_1.0.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAl//sVUQHGZva2FAZGVi
aWFuLm9yZwAKCRDqJQC0EsWazzyJD/45tvPlBPi2gH5tiOmZ3xnsjvzRXsbLk8Qc
q8azS+xZ5ZV16h/iRonChzmx3Dw31dqCSQ0zUXBcvIWwtM3AavD0aZaWJMZP8p+0
auEOhv15tMJ5+px+uHd+hncssIBOHxFVXrwcvkrCMpZMbXsdUUcSyXJbQ6y+N/vk
gkClq70xIAW9PeA6SbHtzarauuBUOUFZYGK/93+pB9uOtfv1Xc6w9D8kFlhngON0
5eoCOn4kt7ijs3dQixktk4YW8/k0T65aSoafSVTRbuKjNi1x+vs4dZbxKS7UbsxT
4WuwWoyT17OR49p7iDzKmskaPrvKwq6ytS4YWnGLOmO9Ask9wSUwBO5Svq1ToBTg
C9wuBgLg8iHPtzEGMsRszIN0Bonak9boXFL/xQEgHUV8pcGgB18hyn25cGpr6bNR
Mv56D9ln5Q3grVDXguY3L8roeMDjSq8hMbCsqHvna2eI1U2aXdNh27ON0rwcYSLw
lg6Nqjj3E9VanR2CFBwEETOCYY9Zi3eEKuok7deB9siebnKUpNJBgjFwNvliX9eV
cYcfdF5gC+pD4WJ9afebNxEGEvWdnmKRbQ+vNvzDE9MbUCC7F/W7lad+OgYj7OaS
zDohzRvHVGbcg19rTFIghSC/dHUMqdYbbfYSn1kpAK3UtX3RPLj2BcqLCQCFVm78
OMp1moo7pg==
=Ussm
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#972573: RFP: crowdsec -- lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database
Next by Date: PLEASE CHECK YOUR EMAIL
Previous by thread: Bug#884611: marked as done (O: japitools -- Java API compatibility testing tools)
Next by thread: PLEASE CHECK YOUR EMAIL
Index(es):
- Date
- Thread