Your message dated Sat, 14 Jan 2017 12:37:03 +0000 with message-id <1484397423.1091.25.camel@adam-barratt.org.uk> and subject line Closing requests included in today's point release has caused the Debian Bug report #848908, regarding jessie-pu: package shutter/0.92-0.1+deb8u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 848908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848908 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Ryan Niebur <ryan@debian.org>
- Subject: jessie-pu: package shutter/0.92-0.1+deb8u1
- From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Date: Tue, 20 Dec 2016 19:12:33 +0100
- Message-id: <1482257179@msgid.manchmal.in-ulm.de>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hello release team, CVE-2015-0854[1] hasn't been handled in jessie yet. The security team ACKed to use an upcoming point release for this. The shutter maintainer Ryan Niebur is in Cc:. Find attached a debdiff based on the fixed stretch version 0.93.1-1, the original patch triggered a Perl error. Testing confirmed the described exploit no longer works then. Regards, Christoph [1] https://security-tracker.debian.org/tracker/CVE-2015-0854diff -Nru shutter-0.92/debian/changelog shutter-0.92/debian/changelog --- shutter-0.92/debian/changelog 2014-08-10 17:51:22.000000000 +0200 +++ shutter-0.92/debian/changelog 2016-12-20 19:00:20.000000000 +0100 @@ -1,3 +1,9 @@ +shutter (0.92-0.1+deb8u1) jessie; urgency=high + + * Fix insecure usage of system(). Closes: #798862 [CVE-2015-0854] + + -- Christoph Biedl <debian.axhn@manchmal.in-ulm.de> Tue, 20 Dec 2016 19:00:20 +0100 + shutter (0.92-0.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru shutter-0.92/debian/patches/CVE-2015-0854.patch shutter-0.92/debian/patches/CVE-2015-0854.patch --- shutter-0.92/debian/patches/CVE-2015-0854.patch 1970-01-01 01:00:00.000000000 +0100 +++ shutter-0.92/debian/patches/CVE-2015-0854.patch 2016-12-20 18:59:57.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Fix insecure use of system() +Author: Luke Faraone <lfaraone@debian.org> +ID: CVE-2015-0854 +Bug: https://bugs.launchpad.net/shutter/+bug/1495163 +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798862 + +--- a/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm ++++ b/share/shutter/resources/modules/Shutter/App/HelperFunctions.pm +@@ -53,7 +53,8 @@ + + sub xdg_open { + my ( $self, $dialog, $link, $user_data ) = @_; +- system("xdg-open $link"); ++ my @args = ("xdg-open", $link); ++ system(@args); + if($?){ + my $response = $self->{_dialogs}->dlg_error_message( + sprintf( $self->{_d}->get("Error while executing %s."), "'xdg-open'"), diff -Nru shutter-0.92/debian/patches/series shutter-0.92/debian/patches/series --- shutter-0.92/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ shutter-0.92/debian/patches/series 2016-12-20 18:40:00.000000000 +0100 @@ -0,0 +1 @@ +CVE-2015-0854.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 823517-done@bugs.debian.org, 829606-done@bugs.debian.org, 836795-done@bugs.debian.org, 836823-done@bugs.debian.org, 837105-done@bugs.debian.org, 837428-done@bugs.debian.org, 837558-done@bugs.debian.org, 837575-done@bugs.debian.org, 837607-done@bugs.debian.org, 838396-done@bugs.debian.org, 838780-done@bugs.debian.org, 838869-done@bugs.debian.org, 838882-done@bugs.debian.org, 839242-done@bugs.debian.org, 839531-done@bugs.debian.org, 839656-done@bugs.debian.org, 839731-done@bugs.debian.org, 839814-done@bugs.debian.org, 839907-done@bugs.debian.org, 839927-done@bugs.debian.org, 840127-done@bugs.debian.org, 840188-done@bugs.debian.org, 840191-done@bugs.debian.org, 840350-done@bugs.debian.org, 840378-done@bugs.debian.org, 840379-done@bugs.debian.org, 840942-done@bugs.debian.org, 841462-done@bugs.debian.org, 841681-done@bugs.debian.org, 841767-done@bugs.debian.org, 841979-done@bugs.debian.org, 842013-done@bugs.debian.org, 842509-done@bugs.debian.org, 842938-done@bugs.debian.org, 843171-done@bugs.debian.org, 843268-done@bugs.debian.org, 843411-done@bugs.debian.org, 843426-done@bugs.debian.org, 843508-done@bugs.debian.org, 843775-done@bugs.debian.org, 843999-done@bugs.debian.org, 844150-done@bugs.debian.org, 844161-done@bugs.debian.org, 844746-done@bugs.debian.org, 845156-done@bugs.debian.org, 845263-done@bugs.debian.org, 845387-done@bugs.debian.org, 845443-done@bugs.debian.org, 845474-done@bugs.debian.org, 845564-done@bugs.debian.org, 845570-done@bugs.debian.org, 846017-done@bugs.debian.org, 846031-done@bugs.debian.org, 846352-done@bugs.debian.org, 846948-done@bugs.debian.org, 847273-done@bugs.debian.org, 847921-done@bugs.debian.org, 848341-done@bugs.debian.org, 848610-done@bugs.debian.org, 848829-done@bugs.debian.org, 848908-done@bugs.debian.org, 848926-done@bugs.debian.org, 848942-done@bugs.debian.org, 849004-done@bugs.debian.org, 849020-done@bugs.debian.org, 849175-done@bugs.debian.org, 849438-done@bugs.debian.org, 849467-done@bugs.debian.org, 849538-done@bugs.debian.org, 849698-done@bugs.debian.org, 849725-done@bugs.debian.org, 849865-done@bugs.debian.org, 849869-done@bugs.debian.org, 849962-done@bugs.debian.org, 849967-done@bugs.debian.org, 850084-done@bugs.debian.org, 850154-done@bugs.debian.org, 850214-done@bugs.debian.org, 850539-done@bugs.debian.org, 850542-done@bugs.debian.org, 850563-done@bugs.debian.org, 850566-done@bugs.debian.org, 850567-done@bugs.debian.org, 838109-done@bugs.debian.org, 849488-done@bugs.debian.org
- Subject: Closing requests included in today's point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 14 Jan 2017 12:37:03 +0000
- Message-id: <1484397423.1091.25.camel@adam-barratt.org.uk>
Version: 8.7 Hi, Each of these bugs refers to an update that was included in today's 8.7 point release. Regards, Adam
--- End Message ---