Bug#492715: marked as done (doublequotes entered in input field summary do NOT get escaped, following * triggers shell filename expansion)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#492715: marked as done (doublequotes entered in input field summary do NOT get escaped, following * triggers shell filename expansion)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 15 Feb 2019 20:57:48 +0000
Message-id: <[🔎] handler.492715.D492715.155026412329215.ackdone@bugs.debian.org>
Reply-to: 492715@bugs.debian.org
References: <E1gukVt-0004Xs-DV@fasolo.debian.org> <200807281325.27688.roland.edv@eggner.at>

Your message dated Fri, 15 Feb 2019 20:55:13 +0000
with message-id <E1gukVt-0004Xs-DV@fasolo.debian.org>
and subject line Bug#922382: Removed package(s) from unstable
has caused the Debian Bug report #492715,
regarding doublequotes entered in input field summary do NOT get escaped, following * triggers shell filename expansion
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
492715: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492715
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: doublequotes entered in input field summary do NOT get escaped, following * triggers shell filename expansion
From: Roland Eggner <roland.edv@eggner.at>
Date: Mon, 28 Jul 2008 13:25:27 +0200
Message-id: <200807281325.27688.roland.edv@eggner.at>
Reply-to: "Roland Eggner" <roland.edv@eggner.at>

Package: reportbug-ng
Version: 0.2007.10.30
Severity: serious
Tags: security

--- Please enter the report below this line. ---

Can create a bugreport against itself, indeed :)


How to encounter this bug
(do NOT repeat following steps on a production system unless you have read
"conclusions" below and really know what you are doing - use a testing
environment or wait until you have installed a reportbug-ng version with
this bug fixed):
-------------------------------------------------------------------------
(1)  In a running reportbug-ng instance hit Ctrl-N to create a new bugreport.
(2)  In input field "summary" enter a string containing a doublequote and
later a * character.  My first "unintended trial" was
crash on exit "glibc detected *** amarokapp: corrupted double-linked list: 0x0808ded0"


Observed result:
----------------
Kmail compose window pops up, with all file names in $PWD of reportbug-ng
added to recipients list.


Conclusions:
------------
(A)  Proper escaping of metacharacters in user input strings must ALWAYS be
tested prior to releasing software.
(B)  I am writing this report with my production system, therefore I surely
will NOT try redirection characters added to string in step (2).  Reporting
the possible "surprises" is left to another user :)
(C)  In /etc/bash.bashrc I have always a statement "set -C" (prohibit
overwriting of existing files by redirections apart from ">|").
In /etc/profile (for noninteractive shells) unfortunately I had to remove it
because it would brake a lot of scripts in Debian packages.


This bug is perhaps related to:
-------------------------------
http://bugs.debian.org/474955


--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.23.12roland2

Debian Release: lenny/sid
  500 unstable        gd.tuwien.ac.at 
  500 testing         security.debian.org 
  500 testing         gd.tuwien.ac.at 
  500 oldstable       gd.tuwien.ac.at 
    1 experimental    gd.tuwien.ac.at 

--- Package information. ---
Depends             (Version) | Installed
=============================-+-===========
python                        | 2.5.2-1
python-central     (>= 0.5.8) | 0.6.7
python-qt3                    | 3.17.4-1
python-soappy                 | 0.12.0-2
xdg-utils                     | 1.0.1-2


-- 
Roland Eggner

--- End Message ---

--- Begin Message ---

To: 416133-done@bugs.debian.org,416586-done@bugs.debian.org,431318-done@bugs.debian.org,431788-done@bugs.debian.org,432129-done@bugs.debian.org,433300-done@bugs.debian.org,433580-done@bugs.debian.org,435553-done@bugs.debian.org,435849-done@bugs.debian.org,440568-done@bugs.debian.org,445287-done@bugs.debian.org,448847-done@bugs.debian.org,448852-done@bugs.debian.org,452818-done@bugs.debian.org,457045-done@bugs.debian.org,457189-done@bugs.debian.org,458571-done@bugs.debian.org,458575-done@bugs.debian.org,464843-done@bugs.debian.org,478436-done@bugs.debian.org,482827-done@bugs.debian.org,489359-done@bugs.debian.org,492715-done@bugs.debian.org,494282-done@bugs.debian.org,498012-done@bugs.debian.org,498014-done@bugs.debian.org,507980-done@bugs.debian.org,509991-done@bugs.debian.org,526122-done@bugs.debian.org,526125-done@bugs.debian.org,526271-done@bugs.debian.org,530945-done@bugs.debian.org,544526-done@bugs.debian.org,547560-done@bugs.debian.org,548871-done@bugs.debian.org,549906-done@bu gs.debian.org,565648-done@bugs.debian.org,577796-done@bugs.debian.org,594216-done@bugs.debian.org,594217-done@bugs.debian.org,597698-done@bugs.debian.org,601232-done@bugs.debian.org,601233-done@bugs.debian.org,601234-done@bugs.debian.org,624825-done@bugs.debian.org,626235-done@bugs.debian.org,628906-done@bugs.debian.org,631621-done@bugs.debian.org,636665-done@bugs.debian.org,639441-done@bugs.debian.org,648224-done@bugs.debian.org,648977-done@bugs.debian.org,651376-done@bugs.debian.org,655663-done@bugs.debian.org,660477-done@bugs.debian.org,691760-done@bugs.debian.org,699169-done@bugs.debian.org,706421-done@bugs.debian.org,710072-done@bugs.debian.org,718441-done@bugs.debian.org,729116-done@bugs.debian.org,729999-done@bugs.debian.org,753819-done@bugs.debian.org,755392-done@bugs.debian.org,764747-done@bugs.debian.org,764750-done@bugs.debian.org,771030-done@bugs.debian.org,774170-done@bugs.debian.org,784772-done@bugs.debian.org,817153-done@bugs.debian.org,832708-done@bugs.debian.org,833 935-done@bugs.debian.org,834104-done@bugs.debian.org,841527-done@bugs.debian.org,853186-done@bugs.debian.org,866143-done@bugs.debian.org,867174-done@bugs.debian.org,898499-done@bugs.debian.org,899089-done@bugs.debian.org,913365-done@bugs.debian.org,919168-done@bugs.debian.org,917557-done@bugs.debian.org,

Cc: reportbug-ng@packages.debian.org

Subject: Bug#922382: Removed package(s) from unstable

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Date: Fri, 15 Feb 2019 20:55:13 +0000

Message-id: <E1gukVt-0004Xs-DV@fasolo.debian.org>
Version: 2.2+rm

Dear submitter,

as the package reportbug-ng has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/922382

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---

Reply to:

Prev by Date: Bug#494282: marked as done ([reportbug-ng] ultimate user friendliness using WM_CLASS)
Next by Date: Bug#498014: marked as done (Wish for shorter column name than "Bugnumber", e.g. "No." or "ID")
Previous by thread: Bug#494282: marked as done ([reportbug-ng] ultimate user friendliness using WM_CLASS)
Next by thread: Bug#498014: marked as done (Wish for shorter column name than "Bugnumber", e.g. "No." or "ID")
Index(es):
- Date
- Thread