Hi Cyril, On Di 03 Jul 2012 18:36:50 CEST Cyril Brulebois wrote:
Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (03/07/2012):The next Debian Edu release 6.0.5+r1 depends on a security fix in GOsa² (src:package gosa): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665950 A new squeeze compliant version of gosa (2.6.11-3+squeeze2) has now been provided by the gosa maintainer.
I see the squeeze source package has a series file, which doesn't get updated by this debdiff. Maybe I'm missing something obvious, but that makes me wonder whether you have actually tested the updated package.
Indeed, only the patch itself, but not the packages have been tested. I apologize for that. This has now been fixed and I hope it is ok to ask again for allowance of uploading gosa 2.6.11-3+squeeze2 to s-p-u. The debdiff is attached inline below and also as a patch file.
Thanks for your time and apology for the inconvenience before, Mike """ diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog --- gosa-2.6.11/debian/changelog 2012-02-06 13:43:11.000000000 +0100 +++ gosa-2.6.11/debian/changelog 2012-07-09 20:44:47.000000000 +0200 @@ -1,3 +1,9 @@ +gosa (2.6.11-3+squeeze2) stable; urgency=low + + * Backport shellvar escaping code. Closes: #665950. + + -- Cajus Pollmeier <cajus@debian.org> Mon, 09 Jul 2012 20:44:30 +0200 + gosa (2.6.11-3+squeeze1) stable; urgency=low * Fix DHCP host removal. Closes: #650258diff -Nru gosa-2.6.11/debian/patches/14_escape.patch gosa-2.6.11/debian/patches/14_escape.patch --- gosa-2.6.11/debian/patches/14_escape.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.6.11/debian/patches/14_escape.patch 2012-07-09 20:39:36.000000000 +0200
@@ -0,0 +1,15 @@+Description: Allow passwords to contain special chars and still work with hook scripts
+Author: Fabian Hickert <hickert@gonicus.de> +--- a/gosa-core/include/functions.inc ++++ b/gosa-core/include/functions.inc +@@ -3066,8 +3066,8 @@ + + if ($command != ""){ + /* Walk through attribute list */ +- $command= preg_replace("/%userPassword/", $password, $command); +- $command= preg_replace("/%dn/", $dn, $command);++ $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
++ $command= preg_replace("/%dn/", escapeshellarg($dn), $command); + + if (check_command($command) || TRUE){+ @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
diff -Nru gosa-2.6.11/debian/patches/series gosa-2.6.11/debian/patches/series --- gosa-2.6.11/debian/patches/series 2012-01-30 13:42:10.000000000 +0100 +++ gosa-2.6.11/debian/patches/series 2012-07-03 19:25:03.000000000 +0200 @@ -11,3 +11,4 @@ 11_dep_filter_sub_xml.patch 12_dhcphost-removal.patch 13_transliterate_idgen.patch +14_escape.patch """ -- DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog --- gosa-2.6.11/debian/changelog 2012-02-06 13:43:11.000000000 +0100 +++ gosa-2.6.11/debian/changelog 2012-07-09 20:44:47.000000000 +0200 @@ -1,3 +1,9 @@ +gosa (2.6.11-3+squeeze2) stable; urgency=low + + * Backport shellvar escaping code. Closes: #665950. + + -- Cajus Pollmeier <cajus@debian.org> Mon, 09 Jul 2012 20:44:30 +0200 + gosa (2.6.11-3+squeeze1) stable; urgency=low * Fix DHCP host removal. Closes: #650258 diff -Nru gosa-2.6.11/debian/patches/14_escape.patch gosa-2.6.11/debian/patches/14_escape.patch --- gosa-2.6.11/debian/patches/14_escape.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.6.11/debian/patches/14_escape.patch 2012-07-09 20:39:36.000000000 +0200 @@ -0,0 +1,15 @@ +Description: Allow passwords to contain special chars and still work with hook scripts +Author: Fabian Hickert <hickert@gonicus.de> +--- a/gosa-core/include/functions.inc ++++ b/gosa-core/include/functions.inc +@@ -3066,8 +3066,8 @@ + + if ($command != ""){ + /* Walk through attribute list */ +- $command= preg_replace("/%userPassword/", $password, $command); +- $command= preg_replace("/%dn/", $dn, $command); ++ $command= preg_replace("/%userPassword/", escapeshellarg($password), $command); ++ $command= preg_replace("/%dn/", escapeshellarg($dn), $command); + + if (check_command($command) || TRUE){ + @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute"); diff -Nru gosa-2.6.11/debian/patches/series gosa-2.6.11/debian/patches/series --- gosa-2.6.11/debian/patches/series 2012-01-30 13:42:10.000000000 +0100 +++ gosa-2.6.11/debian/patches/series 2012-07-03 19:25:03.000000000 +0200 @@ -11,3 +11,4 @@ 11_dep_filter_sub_xml.patch 12_dhcphost-removal.patch 13_transliterate_idgen.patch +14_escape.patch
Attachment:
pgpBYovNAca2L.pgp
Description: Digitale PGP-Unterschrift