Bug#982951: marked as done (vorbis-tools has mailcap entries with quoted %-escapes)

To: Petter Reinholdtsen <pere@debian.org>
Subject: Bug#982951: marked as done (vorbis-tools has mailcap entries with quoted %-escapes)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 09 Sep 2021 21:54:02 +0000
Message-id: <[🔎] handler.982951.D982951.16312242648009.ackdone@bugs.debian.org>
Reply-to: 982951@bugs.debian.org
References: <E1mORwj-000BYu-NR@fasolo.debian.org> <trinity-68306ac6-aa79-4ede-8d4d-33feb8c3cfab-1613555277281@3c-app-mailcom-bs01>

Your message dated Thu, 09 Sep 2021 21:51:01 +0000
with message-id <E1mORwj-000BYu-NR@fasolo.debian.org>
and subject line Bug#982951: fixed in vorbis-tools 1.4.2-1
has caused the Debian Bug report #982951,
regarding vorbis-tools has mailcap entries with quoted %-escapes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
982951: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982951
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: vorbis-tools has mailcap entries with quoted %-escapes
From: Marriott NZ <marriott99@gmx.com>
Date: Wed, 17 Feb 2021 10:47:57 +0100
Message-id: <trinity-68306ac6-aa79-4ede-8d4d-33feb8c3cfab-1613555277281@3c-app-mailcom-bs01>

Package: vorbis-tools
Version: 1.4.0-11
Tags: patch, security

Dear Maintainer,
the vorbis-tools package has mailcap entries with quoted %-escapes. That is considered unsafe. Proper escaping should be left to the programs using the entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with certain mail user agents (or document openers) are the cause of a shell command injection vulnerability.

If you need more information let me know.

Thanks,
MNZ

diff --git a/debian/vorbis-tools.mime b/debian/vorbis-tools.mime
index 7f9bca8..1398ae9 100644
--- a/debian/vorbis-tools.mime
+++ b/debian/vorbis-tools.mime
@@ -1,5 +1,5 @@
 application/ogg; ogg123 %s; description="Ogg Vorbis multimedia format"; priority=5
 audio/ogg; ogg123 %s; description="Ogg Vorbis multimedia format"; priority=5
-application/ogg; ogginfo '%s'; copiousoutput; description="Ogg Vorbis multimedia format"; priority=1
-audio/ogg; ogginfo '%s'; copiousoutput; priority=1
-video/ogg; ogginfo '%s'; copiousoutput; priority=1
+application/ogg; ogginfo %s; copiousoutput; description="Ogg Vorbis multimedia format"; priority=1
+audio/ogg; ogginfo %s; copiousoutput; priority=1
+video/ogg; ogginfo %s; copiousoutput; priority=1

--- End Message ---

--- Begin Message ---

To: 982951-close@bugs.debian.org
Subject: Bug#982951: fixed in vorbis-tools 1.4.2-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 09 Sep 2021 21:51:01 +0000
Message-id: <E1mORwj-000BYu-NR@fasolo.debian.org>
Reply-to: Petter Reinholdtsen <pere@debian.org>

Source: vorbis-tools
Source-Version: 1.4.2-1
Done: Petter Reinholdtsen <pere@debian.org>

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 982951@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 Sep 2021 23:33:58 +0200
Source: vorbis-tools
Architecture: source
Version: 1.4.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Closes: 982951
Changes:
 vorbis-tools (1.4.2-1) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * Use debhelper-compat instead of debian/compat
   * Bump Standards-Version to 4.4.1
 .
   [ Dennis Braun ]
   * New upstream version 1.4.2
   * Refresh patchset
     - Drop patches, applied by upstream or just obsolete
   * d/control:
     + Bump dh-compat to 13
     + Add myself as uploader
     + Bump Standards-Version to 4.6.0
     + Set Rules-Requires-Root: no
   * Add bug and repository fields to d/upstream/metadata
   * Bump d/watch version to 4
 .
   [ Petter Reinholdtsen ]
   * Change mailcap entries with quoted %-escapes to unquoted entries
     (Closes: #982951).
Checksums-Sha1:
 b5646a806fa3e253ed44f7a131cdf0cfc06bc7be 2311 vorbis-tools_1.4.2-1.dsc
 c7012dc104da4f35a5d5d46e902cd49214377f5b 1389947 vorbis-tools_1.4.2.orig.tar.gz
 c9809889c9a5eea152716df54b88f48ecda45e3d 39336 vorbis-tools_1.4.2-1.debian.tar.xz
 c4159b5a65970a60cef7b0aa60f4344f4dab9369 7500 vorbis-tools_1.4.2-1_source.buildinfo
Checksums-Sha256:
 3b9653f7d661360e17aa0e0ffafffea47c5c8e9a9f56bc6f90af0de213f4d469 2311 vorbis-tools_1.4.2-1.dsc
 db7774ec2bf2c939b139452183669be84fda5774d6400fc57fde37f77624f0b0 1389947 vorbis-tools_1.4.2.orig.tar.gz
 145ff149fa5329b9958759908d0f033229b77bddf32753c79eacc828bcca61bc 39336 vorbis-tools_1.4.2-1.debian.tar.xz
 a5335f02d4d2f1728cfb58bc8c6c763ee1864e61eb770dea27cc9dc6de2ca095 7500 vorbis-tools_1.4.2-1_source.buildinfo
Files:
 35a1bdac567462e91d202c6292ed6cd6 2311 sound optional vorbis-tools_1.4.2-1.dsc
 998fca293bd4e4bdc2b96fb70f952f4e 1389947 sound optional vorbis-tools_1.4.2.orig.tar.gz
 c74f3449dc04c8c8c813a767acd2e2cb 39336 sound optional vorbis-tools_1.4.2-1.debian.tar.xz
 860707e5713e91ada26e57e4fc046651 7500 sound optional vorbis-tools_1.4.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmE6flgACgkQgSgKoIe6
+w56bBAAojqhwgCfwXLdjXRqVwsryyqUSAloCtFZvF7sVlMbVl/9e2yKI83sHjFM
VLtRD9PxTNdSS9EYMJLqdmT2QWV2z46TN4ZwbwjJuURLxFhgHxI/M7Rf2mygYQ5i
4Zob29uzq3IUdgVZ75Iam4WPZOADiMt8jXhAE6ZyURuXLNXwYJ40YjKZv+D6xwoA
6Ru6GTLztIIwSTmuarAzFdIqXuhR+tY9h+VBr8djDMhCuaZT+v8MT0C5M6CHG7Z7
CTEpZZtSYngtalMihTzPn39sTQi1UkdBrnkk4sQkl5dGZaSq11cJGgmhyg7uT5CS
+SL2Wl7BIfzcVu+drFFzHtTB+waVxbxFDWdk6upwmxSInw3wgI2PHFw+wc1ugdZ1
ZPKwVFgMKJPz1CQ0EwPPdbUyzUj1S97pjNTJv/OvRnKo64gWoFyhDmgk1VDqo1z9
SBUp5Ehfe2sButq5RUHNXyDkMOhYKHV7xUvpg9fxpM0TBJyLF9dqzBkcGVvZRtI7
WRZh2c4Ge2gZTIyYdOQ3b5i68sJYD8yCP5pj0G8KVWwCRGfpZw+cBXtiZ3uCL2R/
w4PR/bGY0MvEQWULXfmd4QUrIG2WmwGdYn2asbEAe9yBj/lDVeauQCWkjX6Twk6+
Lp/t1EyKmfCtzwrCdoXnNIPHxOl1uQ9tHh/hmEB7Ysmj7W8nZbM=
=cgx/
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: simplescreenrecorder_0.4.3-1_source.changes ACCEPTED into unstable
Next by Date: Processing of vorbis-tools_1.4.2-1_source.changes
Previous by thread: simplescreenrecorder_0.4.3-1_source.changes ACCEPTED into unstable
Next by thread: Processing of vorbis-tools_1.4.2-1_source.changes
Index(es):
- Date
- Thread