Review of ucf 3.0043+deb11u1
Hi -lts,
Sending this for a quick review for a bunch of reasons, not least of all
because this didn't get a CVE and thus has fewer eyeballs on it.
(https://bugs.debian.org/1089015 is the bug in question.)
— Chris
diff --git debian/changelog debian/changelog
index 6bf4d90..44e5088 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,13 @@
+ucf (3.0043+deb11u1) bullseye-security; urgency=high
+
+ * Non-maintainer by the Debian LTS team.
+ * Prevent a potential command-injection vulnerability by initialising a
+ variable that is passed, unfiltered, to the "eval" shell function.
+ (Closes: #1089015)
+ * Add a debian/salsa-ci.yml.
+
+ -- Chris Lamb <lamby@debian.org> Thu, 16 Jan 2025 16:53:58 +0000
+
ucf (3.0043) unstable; urgency=high
* The argument to dpkg-divert needs to be the actual file name, not the
diff --git debian/salsa-ci.yml debian/salsa-ci.yml
new file mode 100644
index 0000000..b2fd032
--- /dev/null
+++ debian/salsa-ci.yml
@@ -0,0 +1,2 @@
+include:
+ - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml
diff --git ucf ucf
index 7efdf1c..ceb33f6 100755
--- ucf
+++ ucf
@@ -342,6 +342,7 @@ NEW_SUFFIX="ucf-new"
OLD_SUFFIX="ucf-old"
ERR_SUFFIX="merge-error"
# save up the cmdline with proper quoting/escaping
+saved=
for arg in "$@"; do
saved="${saved:+$saved }'$(quote_single "$arg")'"
done
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: