Re: gosa update for s-p-u (highly relevant for the Debian Edu blend)

[Mike Gabriel <mike.gabriel@das-netzwerkteam.de>]

Hi Cyril,

On Di 03 Jul 2012 18:36:50 CEST Cyril Brulebois wrote:

> Mike Gabriel <mike.gabriel@das-netzwerkteam.de> (03/07/2012):
> > The next Debian Edu release 6.0.5+r1 depends on a security fix in
> > GOsa² (src:package gosa):
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665950
> >
> > A new squeeze compliant version of gosa (2.6.11-3+squeeze2) has now
> > been provided by the gosa maintainer.

> I see the squeeze source package has a series file, which doesn't get
> updated by this debdiff. Maybe I'm missing something obvious, but that
> makes me wonder whether you have actually tested the updated package.

Indeed, only the patch itself, but not the packages have been tested.  
I apologize for that. This has now been fixed and I hope it is ok to  
ask again for allowance of uploading gosa 2.6.11-3+squeeze2 to s-p-u.  
The debdiff is attached inline below and also as a patch file.

Thanks for your time and apology for the inconvenience before,
Mike

"""
diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog
--- gosa-2.6.11/debian/changelog        2012-02-06 13:43:11.000000000 +0100
+++ gosa-2.6.11/debian/changelog        2012-07-09 20:44:47.000000000 +0200
@@ -1,3 +1,9 @@
+gosa (2.6.11-3+squeeze2) stable; urgency=low
+
+  * Backport shellvar escaping code. Closes: #665950.
+
+ -- Cajus Pollmeier <cajus@debian.org>  Mon, 09 Jul 2012 20:44:30 +0200
+
 gosa (2.6.11-3+squeeze1) stable; urgency=low

   * Fix DHCP host removal. Closes: #650258
diff -Nru gosa-2.6.11/debian/patches/14_escape.patch  
gosa-2.6.11/debian/patches/14_escape.patch
--- gosa-2.6.11/debian/patches/14_escape.patch  1970-01-01  
01:00:00.000000000 +0100
+++ gosa-2.6.11/debian/patches/14_escape.patch  2012-07-09  
20:39:36.000000000 +0200
@@ -0,0 +1,15 @@
+Description: Allow passwords to contain special chars and still work  
with hook scripts
+Author: Fabian Hickert <hickert@gonicus.de>
+--- a/gosa-core/include/functions.inc
++++ b/gosa-core/include/functions.inc
+@@ -3066,8 +3066,8 @@
+
+       if ($command != ""){
+         /* Walk through attribute list */
+-        $command= preg_replace("/%userPassword/", $password, $command);
+-        $command= preg_replace("/%dn/", $dn, $command);
++        $command= preg_replace("/%userPassword/",  
escapeshellarg($password), $command);
++        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
+
+         if (check_command($command) || TRUE){
+           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__,  
$command, "Execute");
diff -Nru gosa-2.6.11/debian/patches/series gosa-2.6.11/debian/patches/series
--- gosa-2.6.11/debian/patches/series   2012-01-30 13:42:10.000000000 +0100
+++ gosa-2.6.11/debian/patches/series   2012-07-03 19:25:03.000000000 +0200
@@ -11,3 +11,4 @@
 11_dep_filter_sub_xml.patch
 12_dhcphost-removal.patch
 13_transliterate_idgen.patch
+14_escape.patch
"""



--

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog
--- gosa-2.6.11/debian/changelog        2012-02-06 13:43:11.000000000 +0100
+++ gosa-2.6.11/debian/changelog        2012-07-09 20:44:47.000000000 +0200
@@ -1,3 +1,9 @@
+gosa (2.6.11-3+squeeze2) stable; urgency=low
+
+  * Backport shellvar escaping code. Closes: #665950.
+
+ -- Cajus Pollmeier <cajus@debian.org>  Mon, 09 Jul 2012 20:44:30 +0200
+
 gosa (2.6.11-3+squeeze1) stable; urgency=low
 
   * Fix DHCP host removal. Closes: #650258
diff -Nru gosa-2.6.11/debian/patches/14_escape.patch gosa-2.6.11/debian/patches/14_escape.patch
--- gosa-2.6.11/debian/patches/14_escape.patch  1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.6.11/debian/patches/14_escape.patch  2012-07-09 20:39:36.000000000 +0200
@@ -0,0 +1,15 @@
+Description: Allow passwords to contain special chars and still work with hook scripts
+Author: Fabian Hickert <hickert@gonicus.de>
+--- a/gosa-core/include/functions.inc
++++ b/gosa-core/include/functions.inc
+@@ -3066,8 +3066,8 @@
+ 
+       if ($command != ""){
+         /* Walk through attribute list */
+-        $command= preg_replace("/%userPassword/", $password, $command);
+-        $command= preg_replace("/%dn/", $dn, $command);
++        $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
++        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
+ 
+         if (check_command($command) || TRUE){
+           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
diff -Nru gosa-2.6.11/debian/patches/series gosa-2.6.11/debian/patches/series
--- gosa-2.6.11/debian/patches/series   2012-01-30 13:42:10.000000000 +0100
+++ gosa-2.6.11/debian/patches/series   2012-07-03 19:25:03.000000000 +0200
@@ -11,3 +11,4 @@
 11_dep_filter_sub_xml.patch
 12_dhcphost-removal.patch
 13_transliterate_idgen.patch
+14_escape.patch

Attachment: pgpBYovNAca2L.pgp
Description: Digitale PGP-Unterschrift