Dear LTS team,
CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1):
Unsafe shell call enabling shell injection via a User ID.
See also #928256. gpg-key2ps(1) is a standalone CLI tool to generate a
PostScript file with OpenPGP key fingerprint slips. Note that the
Security Team didn't issue a DSA [0], and suggested to instead fix that
via stretch-pu. Given there is no jessie-pu mechanism, perhaps it would
make sense to issue a DLA? (Is so, I would appreciate if a LTS team
member could take care of the DLA part.)
Debdiff against signing-party_1.1.10-3.dsc attached. In the (tested)
fix I replaced the of use of iconv(1) with Perl's ‘Encode.pm’ instead;
it's a core module so the package doesn't need any new dependency.
(Note that the fix didn't make it to Stretch nor Buster yet. That's
respectively #928292 and #928291.)
Cheers,
--
Guilhem.
[0] https://security-tracker.debian.org/tracker/CVE-2019-11627
diff -Nru signing-party-1.1.10/debian/changelog signing-party-1.1.10/debian/changelog
--- signing-party-1.1.10/debian/changelog 2014-11-08 02:02:16.000000000 +0100
+++ signing-party-1.1.10/debian/changelog 2019-05-01 17:39:56.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (1.1.10-3+deb8u1) jessie-security; urgency=medium
+
+ * Backport security fix for CVE-2019-11627: unsafe shell call enabling shell
+ injection via a User ID. Use Perl's (core) module Encode.pm instead of
+ shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 17:39:56 +0200
+
signing-party (1.1.10-3) unstable; urgency=medium
[ Guilhem Moulin ]
diff -Nru signing-party-1.1.10/debian/control signing-party-1.1.10/debian/control
--- signing-party-1.1.10/debian/control 2014-11-08 02:02:16.000000000 +0100
+++ signing-party-1.1.10/debian/control 2019-05-01 17:39:56.000000000 +0200
@@ -1,7 +1,7 @@
Source: signing-party
Section: misc
Priority: extra
-Maintainer: Guilhem Moulin <guilhem@guilhem.org>
+Maintainer: Guilhem Moulin <guilhem@debian.org>
Uploaders: Simon Richter <sjr@debian.org>,
Franck Joncourt <franck@debian.org>
Build-Depends: debhelper (>= 9), python, autoconf, automake1.11, autotools-dev
diff -Nru signing-party-1.1.10/debian/patches/CVE-2019-11627.diff signing-party-1.1.10/debian/patches/CVE-2019-11627.diff
--- signing-party-1.1.10/debian/patches/CVE-2019-11627.diff 1970-01-01 01:00:00.000000000 +0100
+++ signing-party-1.1.10/debian/patches/CVE-2019-11627.diff 2019-05-01 17:39:56.000000000 +0200
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Tue, 30 Apr 2019 19:49:45 +0200
+Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+
+---
+ gpg-key2ps/gpg-key2ps | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gpg-key2ps/gpg-key2ps
++++ b/gpg-key2ps/gpg-key2ps
+@@ -10,6 +10,7 @@
+ # $Id: gpg-key2ps 707 2014-09-05 09:34:32Z guilhem-guest $
+
+ use strict;
++use Encode ();
+ use Getopt::Long;
+
+ my $version = '$Rev: 707 $';
+@@ -266,7 +267,7 @@ while(<GPG>) {
+ }
+ # user ids
+ s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
+- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
++ $_ = Encode::encode("latin1", Encode::decode_utf8($_));
+ s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/;
+ # revoked user id
+ if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) {
diff -Nru signing-party-1.1.10/debian/patches/series signing-party-1.1.10/debian/patches/series
--- signing-party-1.1.10/debian/patches/series 2014-11-08 02:02:16.000000000 +0100
+++ signing-party-1.1.10/debian/patches/series 2019-05-01 17:39:02.000000000 +0200
@@ -1,2 +1,3 @@
gpgwrap_makefile.diff
bug767371.diff
+CVE-2019-11627.diff
Attachment:
signature.asc
Description: PGP signature