Bug#1053098: marked as done (unadf 0.7.11a-5 calls system() with unsanitized input)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 22 Nov 2023 22:52:02 +0000
with message-id <E1r5w4g-003xzk-JV@fasolo.debian.org>
and subject line Bug#838248: fixed in unadf 0.7.11a-6
has caused the Debian Bug report #838248,
regarding unadf 0.7.11a-5 calls system() with unsanitized input
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
838248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838248
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unadf 0.7.11a-5 calls system() with unsanitized input
• From: Jani Nikula <spam@avaruusmies.com>
• Date: Wed, 27 Sep 2023 13:19:31 +0300
• Message-id: <169580997134.47409.1998960854584728613.reportbug@tigerlark>

Package: unadf
Version: 0.7.11a-5
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Dear Maintainer,

See upstream ADFLib commit 8e973d7b8945 ("Fix unsafe extraction by using
mkdir() instead of shell command") [1].

'unadf' passes the directory names within an ADF to system()
unsanitized. In the most benign failure case, directory names beginning
with '-' are interpreted as options to mkdir, and unpacking the ADF
fails.

Please update unadf to fixed upstream version.

[1] https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd

-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-12-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages unadf depends on:
ii  libc6  2.36-9+deb12u1

unadf recommends no packages.

unadf suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 838248-close@bugs.debian.org
• Subject: Bug#838248: fixed in unadf 0.7.11a-6
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 22 Nov 2023 22:52:02 +0000
• Message-id: <E1r5w4g-003xzk-JV@fasolo.debian.org>
• Reply-to: Moritz Muehlenhoff <jmm@debian.org>

Source: unadf
Source-Version: 0.7.11a-6
Done: Moritz Muehlenhoff <jmm@debian.org>

We believe that the bug you reported is fixed in the latest version of
unadf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 838248@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated unadf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 22 Nov 2023 19:37:12 +0100
Source: unadf
Architecture: source
Version: 0.7.11a-6
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Closes: 838248 1053098
Changes:
 unadf (0.7.11a-6) unstable; urgency=medium
 .
   * QA upload.
   * Really apply security fixes for CVE-2016-1243/CVE-2016-1244, they
     were not actually applied in the 0.7.11a-4 upload
     (Closes: #838248, #1053098)
Checksums-Sha1:
 1d889a1c0201f04bc44faab182cc4ee5671efde7 1716 unadf_0.7.11a-6.dsc
 35db18004e25770d24dc042896f23cce29f8a688 20004 unadf_0.7.11a-6.debian.tar.xz
 a5ce25b15882bbf4a4447c37367f4cf0fbf971d3 6306 unadf_0.7.11a-6_amd64.buildinfo
Checksums-Sha256:
 12d215cc8632733933b549a698743a9eb5e6f24d2277e4c962481956c4404951 1716 unadf_0.7.11a-6.dsc
 4632eec82ed1293ac6c951e5ff9fa3616ad6d9678dc9c5413f711792193e3a25 20004 unadf_0.7.11a-6.debian.tar.xz
 bfe2061e9c0c1ff9cf6628a7de82a0dde64a61eef004e4efd51e39b59cda09a6 6306 unadf_0.7.11a-6_amd64.buildinfo
Files:
 225a6e6c9267910c01aa658a5264c44d 1716 utils optional unadf_0.7.11a-6.dsc
 48fb7eaa4004a8f00ffc4e3cabdaf928 20004 utils optional unadf_0.7.11a-6.debian.tar.xz
 22182c8b4209ce37cc5adf0a30835fbb 6306 utils optional unadf_0.7.11a-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVef24ACgkQEMKTtsN8
TjYPXxAAnASb5sZWB9cl8Ad0fn0UOeiPTrpmbeew8XcqwoDgBTG0b7U/DWNky3+L
gSU6tV/X2RYqgtzYmuI+xjZDwmxQqjpkN0fH+sD4qoqzwPRb2WrC3KOf5TmAyZ3P
5HJJrZ2qdizj3DyEeROq8H8N1aCClfamd9H4IjMDkc4CsmgPz3rJG+njGdrylTtP
8kgQmOi/BSrGq8PesdINJRNcSFJCS8EwaKBfYVgnfOByha9tq7t5zyYuweYGYjX2
4BFHCsU171RE0GitcZXLgWwruSxyog85/fo2k9ZqN66qeXmBOJRS58uQg+rN/ICg
kBx+6kCItUb7D5ljFJ9B5cHIDTa2jZzzkL1hdr8eyzmVusf4aPLFeVjV3yprPRXN
B8SM80wA0fC8zhE+xfK/Se4p2dx/DKLxEilcwoIk6lumLNvc0j5p8v6V2vJS4kvz
w1GhqXQS8kRkx/zGyW/peuU/SYHZ3Kp60hFYBt2SZ97Kd5L2YatL5/JsLo3Q+BKx
5Rfx7tUbJAm98BCGzHhEMQJIxoWr/hzgp4XIzhRWuAUI8wifpqxXradxEsyEBScG
vp6cIUvF7BiVoAAkF9g1zSO5YNoKVCnEXe6XbKTzhlIhJoX3WMm2tDoiS5GtKLZT
5vqUTVjehfiKphlgbxS9F7btadLctHsLQAS7xXzkRo+IlMMvyLU=
=bR4r
-----END PGP SIGNATURE-----

--- End Message ---