Hi, Am 01.05.19 um 18:12 schrieb Guilhem Moulin: > Dear LTS team, > > CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1): > > Unsafe shell call enabling shell injection via a User ID. > > See also #928256. gpg-key2ps(1) is a standalone CLI tool to generate a > PostScript file with OpenPGP key fingerprint slips. Note that the > Security Team didn't issue a DSA [0], and suggested to instead fix that > via stretch-pu. Given there is no jessie-pu mechanism, perhaps it would > make sense to issue a DLA? (Is so, I would appreciate if a LTS team > member could take care of the DLA part.) > > Debdiff against signing-party_1.1.10-3.dsc attached. In the (tested) > fix I replaced the of use of iconv(1) with Perl's ‘Encode.pm’ instead; > it's a core module so the package doesn't need any new dependency. > > (Note that the fix didn't make it to Stretch nor Buster yet. That's > respectively #928292 and #928291.) Thank you very much. I didn't want to bother you and went ahead and uploaded your patch only an hour ago. I will issue the DLA now. Thanks Markus
Attachment:
signature.asc
Description: OpenPGP digital signature