Your message dated Fri, 15 Feb 2019 20:55:13 +0000 with message-id <E1gukVt-0004Xs-DV@fasolo.debian.org> and subject line Bug#922382: Removed package(s) from unstable has caused the Debian Bug report #492715, regarding doublequotes entered in input field summary do NOT get escaped, following * triggers shell filename expansion to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 492715: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492715 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: doublequotes entered in input field summary do NOT get escaped, following * triggers shell filename expansion
- From: Roland Eggner <roland.edv@eggner.at>
- Date: Mon, 28 Jul 2008 13:25:27 +0200
- Message-id: <200807281325.27688.roland.edv@eggner.at>
- Reply-to: "Roland Eggner" <roland.edv@eggner.at>
Package: reportbug-ng Version: 0.2007.10.30 Severity: serious Tags: security --- Please enter the report below this line. --- Can create a bugreport against itself, indeed :) How to encounter this bug (do NOT repeat following steps on a production system unless you have read "conclusions" below and really know what you are doing - use a testing environment or wait until you have installed a reportbug-ng version with this bug fixed): ------------------------------------------------------------------------- (1) In a running reportbug-ng instance hit Ctrl-N to create a new bugreport. (2) In input field "summary" enter a string containing a doublequote and later a * character. My first "unintended trial" was crash on exit "glibc detected *** amarokapp: corrupted double-linked list: 0x0808ded0" Observed result: ---------------- Kmail compose window pops up, with all file names in $PWD of reportbug-ng added to recipients list. Conclusions: ------------ (A) Proper escaping of metacharacters in user input strings must ALWAYS be tested prior to releasing software. (B) I am writing this report with my production system, therefore I surely will NOT try redirection characters added to string in step (2). Reporting the possible "surprises" is left to another user :) (C) In /etc/bash.bashrc I have always a statement "set -C" (prohibit overwriting of existing files by redirections apart from ">|"). In /etc/profile (for noninteractive shells) unfortunately I had to remove it because it would brake a lot of scripts in Debian packages. This bug is perhaps related to: ------------------------------- http://bugs.debian.org/474955 --- System information. --- Architecture: i386 Kernel: Linux 2.6.23.12roland2 Debian Release: lenny/sid 500 unstable gd.tuwien.ac.at 500 testing security.debian.org 500 testing gd.tuwien.ac.at 500 oldstable gd.tuwien.ac.at 1 experimental gd.tuwien.ac.at --- Package information. --- Depends (Version) | Installed =============================-+-=========== python | 2.5.2-1 python-central (>= 0.5.8) | 0.6.7 python-qt3 | 3.17.4-1 python-soappy | 0.12.0-2 xdg-utils | 1.0.1-2 -- Roland Eggner
--- End Message ---
--- Begin Message ---
- To: 416133-done@bugs.debian.org,416586-done@bugs.debian.org,431318-done@bugs.debian.org,431788-done@bugs.debian.org,432129-done@bugs.debian.org,433300-done@bugs.debian.org,433580-done@bugs.debian.org,435553-done@bugs.debian.org,435849-done@bugs.debian.org,440568-done@bugs.debian.org,445287-done@bugs.debian.org,448847-done@bugs.debian.org,448852-done@bugs.debian.org,452818-done@bugs.debian.org,457045-done@bugs.debian.org,457189-done@bugs.debian.org,458571-done@bugs.debian.org,458575-done@bugs.debian.org,464843-done@bugs.debian.org,478436-done@bugs.debian.org,482827-done@bugs.debian.org,489359-done@bugs.debian.org,492715-done@bugs.debian.org,494282-done@bugs.debian.org,498012-done@bugs.debian.org,498014-done@bugs.debian.org,507980-done@bugs.debian.org,509991-done@bugs.debian.org,526122-done@bugs.debian.org,526125-done@bugs.debian.org,526271-done@bugs.debian.org,530945-done@bugs.debian.org,544526-done@bugs.debian.org,547560-done@bugs.debian.org,548871-done@bugs.debian.org,549906-done@bu gs.debian.org,565648-done@bugs.debian.org,577796-done@bugs.debian.org,594216-done@bugs.debian.org,594217-done@bugs.debian.org,597698-done@bugs.debian.org,601232-done@bugs.debian.org,601233-done@bugs.debian.org,601234-done@bugs.debian.org,624825-done@bugs.debian.org,626235-done@bugs.debian.org,628906-done@bugs.debian.org,631621-done@bugs.debian.org,636665-done@bugs.debian.org,639441-done@bugs.debian.org,648224-done@bugs.debian.org,648977-done@bugs.debian.org,651376-done@bugs.debian.org,655663-done@bugs.debian.org,660477-done@bugs.debian.org,691760-done@bugs.debian.org,699169-done@bugs.debian.org,706421-done@bugs.debian.org,710072-done@bugs.debian.org,718441-done@bugs.debian.org,729116-done@bugs.debian.org,729999-done@bugs.debian.org,753819-done@bugs.debian.org,755392-done@bugs.debian.org,764747-done@bugs.debian.org,764750-done@bugs.debian.org,771030-done@bugs.debian.org,774170-done@bugs.debian.org,784772-done@bugs.debian.org,817153-done@bugs.debian.org,832708-done@bugs.debian.org,833 935-done@bugs.debian.org,834104-done@bugs.debian.org,841527-done@bugs.debian.org,853186-done@bugs.debian.org,866143-done@bugs.debian.org,867174-done@bugs.debian.org,898499-done@bugs.debian.org,899089-done@bugs.debian.org,913365-done@bugs.debian.org,919168-done@bugs.debian.org,917557-done@bugs.debian.org,
- Cc: reportbug-ng@packages.debian.org
- Subject: Bug#922382: Removed package(s) from unstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 15 Feb 2019 20:55:13 +0000
- Message-id: <E1gukVt-0004Xs-DV@fasolo.debian.org>
Version: 2.2+rm Dear submitter, as the package reportbug-ng has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/922382 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---