Bug#901814: stretch-pu: package monkeysign/2.2.3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#901814: stretch-pu: package monkeysign/2.2.3
From: Antoine Beaupre <anarcat@debian.org>
Date: Mon, 18 Jun 2018 13:56:11 -0400
Message-id: <[🔎] 152934457146.16961.13965414778120428445.reportbug@curie.anarc.at>
Reply-to: Antoine Beaupre <anarcat@debian.org>, 901814@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Monkeysign has a minor security issue and two critical bugs
(unreported but still quite important) that affect all versions after
jessie.

The 2.2.4 upload performed on unstable today fixes all of those, but I
figured it was also important to backport those changes into an
upcoming stretch release. Considering the security issue is minor and
that it is also fixed by the recent GnuPG updates for CVE-2018-12020,
a security upload does not seem appropriate.

The attached patch is the debdiff for the last upload in unstable,
which I think should be applied verbatim to stable as well. It fixes a
crash in the API when manipulating GPG options (the "false" bit),
CVE-2018-12020, fixes the test suite so it passes again, and properly
sends email when all UIDs are signed.

I can provide more details or open release-critical bugs for all of
the above if you believe it is necessary.

A.

-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru monkeysign-2.2.3/CHANGELOG monkeysign-2.2.4/CHANGELOG
--- monkeysign-2.2.3/CHANGELOG	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/CHANGELOG	2018-06-18 12:18:46.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+  [ Tobias Rueetschi ]
+  * false isn't defined, that must be False
+
+  [ Antoine Beaupré ]
+  * actually send multiple emails instead of a single one
+  * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anarcat@debian.org>  Mon, 18 Jun 2018 12:18:46 -0400
+
 monkeysign (2.2.3) unstable; urgency=medium
 
   [ Simon Fondrie-Teitler ]
diff -Nru monkeysign-2.2.3/debian/changelog monkeysign-2.2.4/debian/changelog
--- monkeysign-2.2.3/debian/changelog	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/debian/changelog	2018-06-18 12:18:46.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+  [ Tobias Rueetschi ]
+  * false isn't defined, that must be False
+
+  [ Antoine Beaupré ]
+  * actually send multiple emails instead of a single one
+  * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anarcat@debian.org>  Mon, 18 Jun 2018 12:18:46 -0400
+
 monkeysign (2.2.3) unstable; urgency=medium
 
   [ Simon Fondrie-Teitler ]
diff -Nru monkeysign-2.2.3/monkeysign/gpg.py monkeysign-2.2.4/monkeysign/gpg.py
--- monkeysign-2.2.3/monkeysign/gpg.py	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/gpg.py	2018-06-18 12:18:46.000000000 -0400
@@ -102,6 +102,7 @@
                 'with-colons': None,
                 'with-fingerprint': None,
                 'fixed-list-mode': None,
+                'no-verbose': None,
                 'list-options': 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
                 }
 
@@ -126,7 +127,7 @@
         if option in self.options:
             del self.options[option]
         else:
-            return false
+            return False
 
     def build_command(self, command):
         """internal helper to build a proper gpg commandline
diff -Nru monkeysign-2.2.3/monkeysign/tests/test_gpg.py monkeysign-2.2.4/monkeysign/tests/test_gpg.py
--- monkeysign-2.2.3/monkeysign/tests/test_gpg.py	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/tests/test_gpg.py	2018-06-18 12:18:46.000000000 -0400
@@ -42,7 +42,7 @@
     options = Context.options
 
     # ... and this is the rendered version of the above
-    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', '--list-options', 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire', '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', '--status-fd', '2', '--quiet' ]
+    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', '--list-options', 'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire', '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', '--status-fd', '2', '--quiet', '--no-verbose' ]
 
     def setUp(self):
         self.gpg = Context()
diff -Nru monkeysign-2.2.3/monkeysign/tests/test_network.py monkeysign-2.2.4/monkeysign/tests/test_network.py
--- monkeysign-2.2.3/monkeysign/tests/test_network.py	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/tests/test_network.py	2018-06-18 12:18:46.000000000 -0400
@@ -29,7 +29,7 @@
 sys.path.insert(0, os.path.dirname(__file__) + '/../..')
 
 from monkeysign.gpg import TempKeyring
-from test_lib import TestTimeLimit, AlarmException, find_test_file, skipUnlessNetwork
+from test_lib import TestTimeLimit, AlarmException, find_test_file, skipUnlessNetwork, skipIfDatePassed
 
 
 @skipUnlessNetwork()
@@ -52,6 +52,7 @@
         except AlarmException:
             raise unittest.case._ExpectedFailure(sys.exc_info())
 
+    @skipIfDatePassed('2017-02-25T00:00:00UTC')
     def test_special_key(self):
         """test a key that sign_key had trouble with"""
         self.assertTrue(self.gpg.import_data(open(find_test_file('96F47C6A.asc')).read()))
diff -Nru monkeysign-2.2.3/monkeysign/ui.py monkeysign-2.2.4/monkeysign/ui.py
--- monkeysign-2.2.3/monkeysign/ui.py	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/ui.py	2018-06-18 12:18:46.000000000 -0400
@@ -612,7 +612,7 @@
 
         if len(self.signed_keys) < 1:
             self.warn(_('no key signed, nothing to export'))
-        
+        ret = True
         for fpr, key in self.signed_keys.items():
             if self.chosen_uid is None:
                 for uid in key.uids.values():
@@ -621,14 +621,15 @@
                     except GpgRuntimeError as e:
                         self.warn(_('failed to create email: %s') % e)
                         break
-                    return self.sendmail(msg)
+                    ret = ret and self.sendmail(msg)
             else:
                 try:
                     msg = EmailFactory(self.tmpkeyring.export_data(fpr), fpr, self.chosen_uid, from_user, self.options.to)
                 except GpgRuntimeError as e:
                     self.warn(_('failed to create email: %s') % e)
                     break
-                return self.sendmail(msg)
+                ret = self.sendmail(msg)
+        return ret
 
     def sendmail(self, msg):
             """actually send the email
diff -Nru monkeysign-2.2.3/monkeysign/_version.py monkeysign-2.2.4/monkeysign/_version.py
--- monkeysign-2.2.3/monkeysign/_version.py	2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/_version.py	2018-06-18 12:18:46.000000000 -0400
@@ -1,4 +1,4 @@
 # coding: utf-8
 # file generated by setuptools_scm
 # don't change, don't track in version control
-version = '2.2.3'
+version = '2.2.4'

Reply to:

Prev by Date: d-i upload for 8.11 (was: Re: Scheduling final Jessie point release, 8.11)
Next by Date: Re: d-i upload for 8.11 (was: Re: Scheduling final Jessie point release, 8.11)
Previous by thread: Re: d-i upload for 8.11 (was: Re: Scheduling final Jessie point release, 8.11)
Next by thread: Bug#901815: transition: ros-geometry
Index(es):
- Date
- Thread