Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2

To: Cyril Brulebois <kibi@debian.org>
Cc: 863049@bugs.debian.org, Dominique Dumont <dod@debian.org>
Subject: Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2
From: gregor herrmann <gregoa@debian.org>
Date: Wed, 28 Jun 2017 20:15:01 +0200
Message-id: <[🔎] 20170628181501.sr3pr24xnb5qiwsm@jadzia.comodo.priv.at>
Reply-to: gregor herrmann <gregoa@debian.org>, 863049@bugs.debian.org
In-reply-to: <[🔎] 20170627232742.GA1638@mraw.org>
References: <149531278693.5681.17029801857854556978.reportbug@jadzia.comodo.priv.at> <[🔎] 20170627232742.GA1638@mraw.org>

On Wed, 28 Jun 2017 01:27:42 +0200, Cyril Brulebois wrote:

> gregor herrmann <gregoa@debian.org> (2017-05-20):
> > I've prepared an upload of shutter for stable. The new version
> > includes two patches:
> > - one fixing CVE-2016-10081 / #849777
> > - another one which dod uploaded together with this one as 0.93.1-1.3
> >   in January which is also security relevant (replaces
> >   system("string") with system(@array)).
> That's a long patch… Comments below (see last hunk, mainly).

Thanks for taking the time to go through the patch in detail!
 
> > + sub nautilus_sendto {
> > + 	my ( $self, $user_data ) = @_;
> > +-	system("nautilus-sendto $user_data &");
> > ++	system('nautilus-sendto', $user_data);
> > + 	if($?){
> > + 		my $response = $self->{_dialogs}->dlg_error_message( 
> > + 			sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"),
> 
> Was the '&' really meant to go away?

I suppose yes, in order to make sure that the script waits for nautilus-sendto
to return, as the return value is checked in the next line.

And/or because it simply doesn't work, as adding a '&' would be
interpreted as an argument:


#v+
#!/usr/bin/perl

use strict;
use warnings;

my $args='-ls';

print "string\n";
system( "ls $args &" ) == 0 or die "system(string) failed: $?";
#-

% perl background.pl
string
total 4                                                                                                                   
4 -rw-rw-r-- 1 gregoa gregoa 234 Jun 28 20:10 background.pl


vs.


#v+
#!/usr/bin/perl

use strict;
use warnings;

my $args='-ls';

print "list\n";
system( 'ls', '-la', '&' ) == 0 or die "system(list) failed: $?";
#v-

% perl background.pl
list
ls: cannot access '&': No such file or directory
system(list) failed: 512 at background.pl line 9.


So yes, this seems intended :)


Nevertheless looping in dod as the author of this patch.


Cheers,
gregor


-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Ben Weaver: Voice In The Wilderness

Attachment: signature.asc
Description: Digital Signature

Reply to:

Follow-Ups:
- Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2
  - From: Dominique Dumont <dod@debian.org>

References:
- Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Bug#862961: jessie-pu: package libembperl-perl/2.5.0-4+deb8u1
Next by Date: Processed: tagging 865547
Previous by thread: Processed: Re: Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2
Next by thread: Bug#863049: jessie-pu: package shutter/0.92-0.1+deb8u2
Index(es):
- Date
- Thread