Your message dated Tue, 18 Aug 2009 23:07:53 -0700 with message-id <20090819060753.GT9480@rzlab.ucr.edu> and subject line Re: Bug#542331: debbugs: Sends corrupt email messages has caused the Debian Bug report #542331, regarding debbugs: Sends corrupt email messages to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 542331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542331 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: debbugs: Sends corrupt email messages
- From: Ben Finney <ben@benfinney.id.au>
- Date: Wed, 19 Aug 2009 14:27:36 +1000
- Message-id: <20090819042736.GA22414@benfinney.id.au>
- Mail-followup-to: Ben Finney <ben@benfinney.id.au>, submit@bugs.debian.org
Package: debbugs Howdy, In response to Bug#542329 <URL:http://bugs.debian.org/542329>, the BTS sent two messages to me (as the maintainer for the package against which the bug is reported). Those messages are corrupted; their header was missing some fields, including common ones like ‘To’, ‘From’, and ‘Date’. I have attached an example of the corrupted message to this report. When I request the report's mbox via ‘bts --mbox show 542329’, it too is missing many fields on each message. -- \ “If you continue running Windows, your system may become | `\ unstable.” —Microsoft, Windows 95 bluescreen error message | _o__) | Ben Finney <ben@benfinney.id.au>--- Begin Message ---
- Subject: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
- Reply-to: Philipp Weis <pweis@pweis.com>, 542329@bugs.debian.org
X-Loop owner@bugs.debian.org: Resent-Date: Wed, 19 Aug 2009 03:45:02 +0000 Resent-Message-ID: <handler.542329.B.125065338117423@bugs.debian.org> Resent-Sender: owner@bugs.debian.org X-Debian-PR-Message: report 542329 X-Debian-PR-Package: burn X-Debian-PR-Keywords: security X-Debian-PR-Source: burn Received: via spool by submit@bugs.debian.org id=B.125065338117423 (code B ref -1); Wed, 19 Aug 2009 03:45:02 +0000 Received: (at submit) by bugs.debian.org; 19 Aug 2009 03:43:01 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 45; hammy, 150; neutral, 110; spammy, 1. spammytokens:0.995-1--quotation hammytokens:0.000-+--H*u:1.5.20, 0.000-+--H*UA:1.5.20, 0.000-+--H*u:2009-06-14, 0.000-+--H*UA:2009-06-14, 0.000-+--Severity X-Spam-Status: No, score=-11.9 required=4.0 tests=BAYES_00,FOURLA,HAS_PACKAGE, MURPHY_DRUGS_REL8,UNPARSEABLE_RELAY,X_DEBBUGS_CC autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Received: from arthur2.pweis.com ([87.106.5.233]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from <pweis@pweis.com>) id 1Mdc4j-0004WL-8R for submit@bugs.debian.org; Wed, 19 Aug 2009 03:43:01 +0000 Received: from zaphod (authenticated) by s15342663.onlinehome-server.info with esmtps (Exim 4.63 #1 (Debian)) id 1Mdc4h-0006IQ-7k for <submit@bugs.debian.org>; Wed, 19 Aug 2009 03:42:59 +0000 Received: from pweis by zaphod with local (Exim 4.69 #1 (Debian)) id 1Mdc4f-00039s-00 for <submit@bugs.debian.org>; Tue, 18 Aug 2009 23:42:57 -0400 Date: Tue, 18 Aug 2009 23:42:56 -0400 From: Philipp Weis <pweis@pweis.com> To: Debian Bug Tracking System <submit@bugs.debian.org> Message-ID: <20090819034256.GA12021@zaphod.pweis.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline X-Reportbug-Version: 4.6 User-Agent: Mutt/1.5.20 (2009-06-14) Delivered-To: submit@bugs.debian.org --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: burn Version: 0.4.4-1 Severity: normal Tags: security Hey there, I just discovered that burn has trouble with quotation marks in file names, and on a closer inspection it seems as if this actually has security implications. I attached a tiny patch that fixes three of the quotation problems, but there seem to be more issues like this in the code, and I don't have the time right now to look closely at all of them. For a demonstration of the problem, create a valid ogg file and name it " | date #".ogg Then run burn -A -a *.ogg, and burn will happily print the current date. Philipp -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (600, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.30 (SMP w/2 CPU cores) Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages burn depends on: ii cdrdao 1:1.2.2-17 records CDs in Disk-At-Once (D= AO)=20 ii genisoimage 9:1.1.9-1 Creates ISO-9660 CD-ROM filesy= stem ii mpg321 0.2.10.6 mpg123 clone that doesn't use = floa ii python 2.5.4-2 An interactive high-level obje= ct-o ii python-eyed3 0.6.17-1 Python module for id3-tags man= ipul ii python-pyao 0.82-2.1 A Python interface to the Audi= o Ou ii python-pymad 0.5.4-3.2+b1 Python wrapper to the MPEG Aud= io D ii python-pyvorbis 1.4-2 Python interface to the Ogg Vo= rbis ii python-support 1.0.3 automated rebuilding support f= or P ii wodim 9:1.1.9-1 command line CD/DVD writing to= ol burn recommends no packages. burn suggests no packages. -- no debconf information -- debsums errors found: debsums: checksum mismatch burn file /usr/share/pyshared/burnlib/burn.py --=20 Philipp Weis --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkqLdMAACgkQzxf2HvbDMknPDgCgkBP0iGJzSmiYJIQgCiG4kHUN YW0AnRee8Wcd2KmFcmpiapY5fmCzTRrH =N8r8 -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N--
--- End Message ---Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 542331-done@bugs.debian.org
- Subject: Re: Bug#542331: debbugs: Sends corrupt email messages
- From: Don Armstrong <don@debian.org>
- Date: Tue, 18 Aug 2009 23:07:53 -0700
- Message-id: <20090819060753.GT9480@rzlab.ucr.edu>
- Mail-followup-to: 542331-done@bugs.debian.org
- In-reply-to: <[🔎] OrXIZyGSafN.A.WtF.nY4iKB@liszt>
- References: <[🔎] OrXIZyGSafN.A.WtF.nY4iKB@liszt>
On Tue, 18 Aug 2009, Ben Finney <ben@benfinney.id.au> wrote: > In response to Bug#542329 <URL:http://bugs.debian.org/542329>, the BTS > sent two messages to me (as the maintainer for the package against > which the bug is reported). Those messages are corrupted; their header > was missing some fields, including common ones like =E2=80=98To=E2=80=99, = > =E2=80=98From=E2=80=99, and > =E2=80=98Date=E2=80=99. This should be resolved; feel free to reopen if you see this issue again. Don Armstrong -- Quite the contrary; they *love* collateral damage. If they can make you miserable enough, maybe you'll stop using email entirely. Once enough people do that, then there'll be no legitimate reason left for anyone to run an SMTP server, and the spam problem will be solved. -- Craig Dickson in <20020909231134.GA18917@linux700.localnet> http://www.donarmstrong.com http://rzlab.ucr.edu
--- End Message ---