[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2019-11627: Shell injection vulnerability in signing-party 1.1.10-3


Am 01.05.19 um 18:12 schrieb Guilhem Moulin:
> Dear LTS team,
> CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1):
>     Unsafe shell call enabling shell injection via a User ID.
> See also #928256.  gpg-key2ps(1) is a standalone CLI tool to generate a
> PostScript file with OpenPGP key fingerprint slips.  Note that the
> Security Team didn't issue a DSA [0], and suggested to instead fix that
> via stretch-pu.  Given there is no jessie-pu mechanism, perhaps it would
> make sense to issue a DLA?  (Is so, I would appreciate if a LTS team
> member could take care of the DLA part.)
> Debdiff against signing-party_1.1.10-3.dsc attached.  In the (tested)
> fix I replaced the of use of iconv(1) with Perl's ‘Encode.pm’ instead;
> it's a core module so the package doesn't need any new dependency.
> (Note that the fix didn't make it to Stretch nor Buster yet.  That's
> respectively #928292 and #928291.)

Thank you very much. I didn't want to bother you and went ahead and
uploaded your patch only an hour ago. I will issue the DLA now.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: