Bug#904087: marked as done (emacsspeak-ss postrm: potentially unsafe shell code)
Your message dated Sun, 04 Nov 2018 00:18:56 +0000
with message-id <E1gJ680-00049o-Ns@fasolo.debian.org>
and subject line Bug#904087: fixed in emacspeak-ss 1.12.1-8
has caused the Debian Bug report #904087,
regarding emacsspeak-ss postrm: potentially unsafe shell code
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
904087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904087
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Cc: Yann Régis-Gianas <yrg@irif.fr>
- Subject: emacsspeak-ss postrm: potentially unsafe shell code
- From: Ralf Treinen <treinen@irif.fr>
- Date: Thu, 19 Jul 2018 13:23:26 +0200
- Message-id: <20180719112325.p5nloqdqp6zrl7uq@vanadium.pps.univ-paris-diderot.fr>
Package: emacspeak-ss
Version: 1.12.1-7
Severity: minor
User: treinen@debian.org
Usertags: colis-shparser
Hi,
the prerm script of emacspeak-ss contains a perl script as a
here document (which in reality is read by perl -x) like this:
perl -x $0 # execute this file as a perl program
true <<EOF # bash discards everything from here to EOF
[some perl code]
__END__
EOF
Written this way, the here document is expanded by the shell. The result
of this expansion is sent to the true command, and the perl interpreter
sees the original unexpanded perl script. The potential problem is that
shell expansion may have side effects through subshell expansion and
parameter expansion with assignments, so this seems unsafe.
We suggest to replace the second line of the above snippet by
true <<'EOF'
since the quote character in the delimiter tells the shell to not
expand the here docment.
-Yann and Ralf.
--
Ralf Treinen
Institut de Recherche en Informatique Fondamentale
Équipe Preuves, Programmes et Systèmes
Université Paris Diderot, Paris, France.
http://www.irif.fr/~treinen/
--- End Message ---
--- Begin Message ---
Source: emacspeak-ss
Source-Version: 1.12.1-8
We believe that the bug you reported is fixed in the latest version of
emacspeak-ss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904087@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Thibault <sthibault@debian.org> (supplier of updated emacspeak-ss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Nov 2018 01:05:47 +0100
Source: emacspeak-ss
Binary: emacspeak-ss
Architecture: source
Version: 1.12.1-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Accessibility Team <pkg-a11y-devel@lists.alioth.debian.org>
Changed-By: Samuel Thibault <sthibault@debian.org>
Description:
emacspeak-ss - Emacspeak speech servers for several synthesizers
Closes: 904087
Changes:
emacspeak-ss (1.12.1-8) unstable; urgency=medium
.
[ Samuel Thibault ]
* Team upload.
* Bump Standards-Version to 4.2.0 (no changes).
* control: Set Maintainer mail to alioth mailing list.
.
[ Ralf Treinen ]
* debian/prerm: Avoid shell expansions (Closes: Bug#904087)
Checksums-Sha1:
ec54b10c6acace780f7ee07df82a41522388310d 1978 emacspeak-ss_1.12.1-8.dsc
a6683c0c84e8d4f13b6f7900370f1b856f4b8cf8 25996 emacspeak-ss_1.12.1-8.debian.tar.xz
Checksums-Sha256:
0547a5a55de69f883c9b27c69a3ab0ab53cb4fa022ee0ce2450a752fed29e9fe 1978 emacspeak-ss_1.12.1-8.dsc
d442ee32975e057a7f82c7be74c88446a94fb4193f610c5018a0ee10c148e550 25996 emacspeak-ss_1.12.1-8.debian.tar.xz
Files:
2d2b2212bf239cf45f532dd7885b939f 1978 editors optional emacspeak-ss_1.12.1-8.dsc
106953d0fe0753c3b227dd3571e9011e 25996 editors optional emacspeak-ss_1.12.1-8.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOjpdRkZg6GdhDKQnmWhJwc9WBHgFAlveOFUACgkQmWhJwc9W
BHirxQ//cW96XcoqV07WgZw0sbxcZrT8vny8SIak7o/kGJsm1GZqtTOLo433BaQV
EsMDaj+ajymFaP9AOvZ7ZuA0mdJv4hAJTphPMRvzkWjRKboT6AJnFXU/BBV2Wty3
eCWx1eUPofDvCq18Ibn/JyIuhxdl8xAVqTHJztPTta/EAyNcQltZuCOY//ggbC2j
BtdocFtVypbP74euvJLpEvw7GSVH9WC/HN0EcrPElKyEEXmjO3aWLsOtjZkvkx8F
lJ1PlDfzN3GqasVWYKwrp7doGYdwCUef0klpTPgBMvxV7/p/AoSG45LO+Qjanvvg
q87f2PW9yzo6ZihdFYscU6ssnVIk8kKEsJIhli3hRMLyrgpiVoFMYo3XhmPKAyjM
kPKhZnKxcWZwkJ9ixxRCVQuy9Ws9kW+BUwBBW716rJRiT6rBRvc/sIgiu6CZFLUE
X82BxATz37zUamwrKyV7m0R3NaCmGcjMBACSbyLJVSeMhYloE7C2yvb5ZgZwz6bs
6m4+WZ3UfJOMq2BGa2NXz4HAgxiE12aZXsLoR7oYu5Qhnyngw/G7hAT15v+4y3II
WoYTMpIbErXi21p/KRwd8LIusfyFseOt8B5g0Rwu8l2++hkOD5kOACiRestTDGgv
2wPwtasDl+HoqK03gMrnWt1BqUrWgiUSe0QY0r5WWPv9hl4luNM=
=vuwa
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: