[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#542331: marked as done (debbugs: Sends corrupt email messages)

Your message dated Tue, 18 Aug 2009 23:07:53 -0700
with message-id <20090819060753.GT9480@rzlab.ucr.edu>
and subject line Re: Bug#542331: debbugs: Sends corrupt email messages
has caused the Debian Bug report #542331,
regarding debbugs: Sends corrupt email messages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
542331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542331
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: debbugs

Howdy,

In response to Bug#542329 <URL:http://bugs.debian.org/542329>, the BTS
sent two messages to me (as the maintainer for the package against
which the bug is reported). Those messages are corrupted; their header
was missing some fields, including common ones like ‘To’, ‘From’, and
‘Date’.

I have attached an example of the corrupted message to this report.

When I request the report's mbox via ‘bts --mbox show 542329’, it too
is missing many fields on each message.

-- 
 \            “If you continue running Windows, your system may become |
  `\        unstable.” —Microsoft, Windows 95 bluescreen error message |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
--- Begin Message --- 
X-Loop
owner@bugs.debian.org: Resent-Date: Wed, 19 Aug 2009 03:45:02 +0000
Resent-Message-ID: <handler.542329.B.125065338117423@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 542329
X-Debian-PR-Package: burn
X-Debian-PR-Keywords: security
X-Debian-PR-Source: burn
Received: via spool by submit@bugs.debian.org id=B.125065338117423
          (code B ref -1); Wed, 19 Aug 2009 03:45:02 +0000
Received: (at submit) by bugs.debian.org; 19 Aug 2009 03:43:01 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 45; hammy, 150; neutral, 110; spammy,
	1. spammytokens:0.995-1--quotation hammytokens:0.000-+--H*u:1.5.20,
	0.000-+--H*UA:1.5.20, 0.000-+--H*u:2009-06-14, 0.000-+--H*UA:2009-06-14,
	0.000-+--Severity
X-Spam-Status: No, score=-11.9 required=4.0 tests=BAYES_00,FOURLA,HAS_PACKAGE,
	MURPHY_DRUGS_REL8,UNPARSEABLE_RELAY,X_DEBBUGS_CC autolearn=ham
	version=3.2.3-bugs.debian.org_2005_01_02
Received: from arthur2.pweis.com ([87.106.5.233])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <pweis@pweis.com>)
	id 1Mdc4j-0004WL-8R
	for submit@bugs.debian.org; Wed, 19 Aug 2009 03:43:01 +0000
Received: from zaphod (authenticated)
	by s15342663.onlinehome-server.info with esmtps (Exim 4.63 #1 (Debian))
	id 1Mdc4h-0006IQ-7k
	for <submit@bugs.debian.org>; Wed, 19 Aug 2009 03:42:59 +0000
Received: from pweis by zaphod with local (Exim 4.69 #1 (Debian))
	id 1Mdc4f-00039s-00
	for <submit@bugs.debian.org>; Tue, 18 Aug 2009 23:42:57 -0400
Date: Tue, 18 Aug 2009 23:42:56 -0400
From: Philipp Weis <pweis@pweis.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20090819034256.GA12021@zaphod.pweis.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N"
Content-Disposition: inline
X-Reportbug-Version: 4.6
User-Agent: Mutt/1.5.20 (2009-06-14)
Delivered-To: submit@bugs.debian.org


--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: burn
Version: 0.4.4-1
Severity: normal
Tags: security

Hey there,

I just discovered that burn has trouble with quotation marks in file
names, and on a closer inspection it seems as if this actually has
security implications. I attached a tiny patch that fixes three of the
quotation problems, but there seem to be more issues like this in the
code, and I don't have the time right now to look closely at all of
them.

For a demonstration of the problem, create a valid ogg file and name
it

  " | date #".ogg

Then run burn -A -a *.ogg, and burn will happily print the current
date.

Philipp


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (600, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages burn depends on:
ii  cdrdao                      1:1.2.2-17   records CDs in Disk-At-Once (D=
AO)=20
ii  genisoimage                 9:1.1.9-1    Creates ISO-9660 CD-ROM filesy=
stem
ii  mpg321                      0.2.10.6     mpg123 clone that doesn't use =
floa
ii  python                      2.5.4-2      An interactive high-level obje=
ct-o
ii  python-eyed3                0.6.17-1     Python module for id3-tags man=
ipul
ii  python-pyao                 0.82-2.1     A Python interface to the Audi=
o Ou
ii  python-pymad                0.5.4-3.2+b1 Python wrapper to the MPEG Aud=
io D
ii  python-pyvorbis             1.4-2        Python interface to the Ogg Vo=
rbis
ii  python-support              1.0.3        automated rebuilding support f=
or P
ii  wodim                       9:1.1.9-1    command line CD/DVD writing to=
ol

burn recommends no packages.

burn suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: checksum mismatch burn file /usr/share/pyshared/burnlib/burn.py

--=20
Philipp Weis

--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqLdMAACgkQzxf2HvbDMknPDgCgkBP0iGJzSmiYJIQgCiG4kHUN
YW0AnRee8Wcd2KmFcmpiapY5fmCzTRrH
=N8r8
-----END PGP SIGNATURE-----

--fUYQa+Pmc3FrFX/N--

--- End Message ---

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Tue, 18 Aug 2009, Ben Finney <ben@benfinney.id.au> wrote:
> In response to Bug#542329 <URL:http://bugs.debian.org/542329>, the BTS
> sent two messages to me (as the maintainer for the package against
> which the bug is reported). Those messages are corrupted; their header
> was missing some fields, including common ones like =E2=80=98To=E2=80=99, =
> =E2=80=98From=E2=80=99, and
> =E2=80=98Date=E2=80=99.

This should be resolved; feel free to reopen if you see this issue again.


Don Armstrong

-- 
Quite the contrary; they *love* collateral damage. If they can make
you miserable enough, maybe you'll stop using email entirely. Once
enough people do that, then there'll be no legitimate reason left for
anyone to run an SMTP server, and the spam problem will be solved.
 -- Craig Dickson in <20020909231134.GA18917@linux700.localnet>

http://www.donarmstrong.com              http://rzlab.ucr.edu

--- End Message ---
Reply to: