Dear LTS team, CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1): Unsafe shell call enabling shell injection via a User ID. See also #928256. gpg-key2ps(1) is a standalone CLI tool to generate a PostScript file with OpenPGP key fingerprint slips. Note that the Security Team didn't issue a DSA [0], and suggested to instead fix that via stretch-pu. Given there is no jessie-pu mechanism, perhaps it would make sense to issue a DLA? (Is so, I would appreciate if a LTS team member could take care of the DLA part.) Debdiff against signing-party_1.1.10-3.dsc attached. In the (tested) fix I replaced the of use of iconv(1) with Perl's ‘Encode.pm’ instead; it's a core module so the package doesn't need any new dependency. (Note that the fix didn't make it to Stretch nor Buster yet. That's respectively #928292 and #928291.) Cheers, -- Guilhem. [0] https://security-tracker.debian.org/tracker/CVE-2019-11627
diff -Nru signing-party-1.1.10/debian/changelog signing-party-1.1.10/debian/changelog --- signing-party-1.1.10/debian/changelog 2014-11-08 02:02:16.000000000 +0100 +++ signing-party-1.1.10/debian/changelog 2019-05-01 17:39:56.000000000 +0200 @@ -1,3 +1,11 @@ +signing-party (1.1.10-3+deb8u1) jessie-security; urgency=medium + + * Backport security fix for CVE-2019-11627: unsafe shell call enabling shell + injection via a User ID. Use Perl's (core) module Encode.pm instead of + shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 17:39:56 +0200 + signing-party (1.1.10-3) unstable; urgency=medium [ Guilhem Moulin ] diff -Nru signing-party-1.1.10/debian/control signing-party-1.1.10/debian/control --- signing-party-1.1.10/debian/control 2014-11-08 02:02:16.000000000 +0100 +++ signing-party-1.1.10/debian/control 2019-05-01 17:39:56.000000000 +0200 @@ -1,7 +1,7 @@ Source: signing-party Section: misc Priority: extra -Maintainer: Guilhem Moulin <guilhem@guilhem.org> +Maintainer: Guilhem Moulin <guilhem@debian.org> Uploaders: Simon Richter <sjr@debian.org>, Franck Joncourt <franck@debian.org> Build-Depends: debhelper (>= 9), python, autoconf, automake1.11, autotools-dev diff -Nru signing-party-1.1.10/debian/patches/CVE-2019-11627.diff signing-party-1.1.10/debian/patches/CVE-2019-11627.diff --- signing-party-1.1.10/debian/patches/CVE-2019-11627.diff 1970-01-01 01:00:00.000000000 +0100 +++ signing-party-1.1.10/debian/patches/CVE-2019-11627.diff 2019-05-01 17:39:56.000000000 +0200 @@ -0,0 +1,27 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Tue, 30 Apr 2019 19:49:45 +0200 +Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering. + +--- + gpg-key2ps/gpg-key2ps | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/gpg-key2ps/gpg-key2ps ++++ b/gpg-key2ps/gpg-key2ps +@@ -10,6 +10,7 @@ + # $Id: gpg-key2ps 707 2014-09-05 09:34:32Z guilhem-guest $ + + use strict; ++use Encode (); + use Getopt::Long; + + my $version = '$Rev: 707 $'; +@@ -266,7 +267,7 @@ while(<GPG>) { + } + # user ids + s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; +- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; ++ $_ = Encode::encode("latin1", Encode::decode_utf8($_)); + s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; + # revoked user id + if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) { diff -Nru signing-party-1.1.10/debian/patches/series signing-party-1.1.10/debian/patches/series --- signing-party-1.1.10/debian/patches/series 2014-11-08 02:02:16.000000000 +0100 +++ signing-party-1.1.10/debian/patches/series 2019-05-01 17:39:02.000000000 +0200 @@ -1,2 +1,3 @@ gpgwrap_makefile.diff bug767371.diff +CVE-2019-11627.diff
Attachment:
signature.asc
Description: PGP signature