Bug#905308: elpa-debian-el: deb-view.el shell of bad filename

To: submit@bugs.debian.org
Subject: Bug#905308: elpa-debian-el: deb-view.el shell of bad filename
From: Kevin Ryde <user42_kevin@yahoo.com.au>
Date: Fri, 03 Aug 2018 10:26:31 +1000
Message-id: <[🔎] 87y3docn2g.fsf@blah.blah>
Reply-to: Kevin Ryde <user42_kevin@yahoo.com.au>, 905308@bugs.debian.org

Package: elpa-debian-el
Version: 37.5
File: /usr/share/emacs/site-lisp/elpa-src/debian-el-37/deb-view.el

In deb-view-process, the filename is not quoted when passed to the shell
in a few places, so it executes shell code on visiting a bad filename.

    cd /tmp
    touch ';echo hello >xyz;.deb'
    emacs -q
    M-: (add-to-list 'auto-mode-alist '("\.deb\\'" . deb-view-mode))
    C-x C-f ;echo hello >xyz;.deb
    =>
    creates file /tmp/xyz

A bad filename should be unlikely, but in the interests of avoiding
accidents or malice it'd be good to be safe.  It looks like all
remaining "(call-process shell-file-name ...)" can be call-process
alone, no shell.


-- System Information:
Debian Release: buster/sid
Architecture: i386 (i686)

Kernel: Linux 4.4.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_AU.iso88591, LC_CTYPE=en_AU.iso88591 (charmap=ISO-8859-1), LANGUAGE=en_AU:en_GB:en (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages elpa-debian-el depends on:
ii  bzip2           1.0.6-8.1
ii  dpkg            1.19.0.5+b1
ii  emacsen-common  2.0.8
ii  reportbug       7.5.0
ii  xz-utils        5.2.2-1.3

Reply to:

Prev by Date: Bug#905235: emacs-goodies-el failed to install due to old broken symlinks
Next by Date: Bug#905235: emacs-goodies-el failed to install due to old broken symlinks
Previous by thread: git-timemachine_4.5-2_amd64.changes ACCEPTED into unstable
Next by thread: emacs-jedi_0.2.7-1_amd64.changes ACCEPTED into unstable, unstable
Index(es):
- Date
- Thread