[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Review of ucf 3.0043+deb11u1



Hi -lts,

Sending this for a quick review for a bunch of reasons, not least of all
because this didn't get a CVE and thus has fewer eyeballs on it.

(https://bugs.debian.org/1089015 is the bug in question.)

  — Chris


diff --git debian/changelog debian/changelog
index 6bf4d90..44e5088 100644
--- debian/changelog
+++ debian/changelog
@@ -1,3 +1,13 @@
+ucf (3.0043+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer by the Debian LTS team.
+  * Prevent a potential command-injection vulnerability by initialising a
+    variable that is passed, unfiltered, to the "eval" shell function.
+    (Closes: #1089015)
+  * Add a debian/salsa-ci.yml.
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 16 Jan 2025 16:53:58 +0000
+
 ucf (3.0043) unstable; urgency=high
 
   * The argument to dpkg-divert needs to be the actual file name, not the
diff --git debian/salsa-ci.yml debian/salsa-ci.yml
new file mode 100644
index 0000000..b2fd032
--- /dev/null
+++ debian/salsa-ci.yml
@@ -0,0 +1,2 @@
+include:
+  - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml
diff --git ucf ucf
index 7efdf1c..ceb33f6 100755
--- ucf
+++ ucf
@@ -342,6 +342,7 @@ NEW_SUFFIX="ucf-new"
 OLD_SUFFIX="ucf-old"
 ERR_SUFFIX="merge-error"
 # save up the cmdline with proper quoting/escaping
+saved=
 for arg in "$@"; do
     saved="${saved:+$saved }'$(quote_single "$arg")'"
 done



-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-




Reply to: