Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Hi there, CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1). Unsafe shell call enabling shell injection via a User ID. See also #928256. However the Security Team didn't issue a DSA [0], and suggested to instead fix that via stretch-pu. I enclosed a debdiff against signing-party_2.5-1.dsc. In the fix I replaced the of use of iconv(1) with Perl's module ‘Encode.pm’ instead; it's a core module so the package doesn't need any new dependency. Cheers, -- Guilhem. [0] https://security-tracker.debian.org/tracker/CVE-2019-11627
diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog --- signing-party-2.5/debian/changelog 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/changelog 2019-05-01 12:55:42.000000000 +0200 @@ -1,3 +1,11 @@ +signing-party (2.5-1+deb9u1) stretch; urgency=medium + + * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell + injection via a User ID. Use Perl's (core) module Encode.pm instead of + shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 12:55:42 +0200 + signing-party (2.5-1) unstable; urgency=low * caff: diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control --- signing-party-2.5/debian/control 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/control 2019-05-01 12:55:42.000000000 +0200 @@ -1,7 +1,7 @@ Source: signing-party Section: misc Priority: extra -Maintainer: Guilhem Moulin <guilhem@guilhem.org> +Maintainer: Guilhem Moulin <guilhem@debian.org> Uploaders: Simon Richter <sjr@debian.org> Build-Depends: debhelper (>= 9), python, dh-python, autoconf, automake, autotools-dev, diff -Nru signing-party-2.5/debian/patches/CVE-2018-15599.diff signing-party-2.5/debian/patches/CVE-2018-15599.diff --- signing-party-2.5/debian/patches/CVE-2018-15599.diff 1970-01-01 01:00:00.000000000 +0100 +++ signing-party-2.5/debian/patches/CVE-2018-15599.diff 2019-05-01 12:55:42.000000000 +0200 @@ -0,0 +1,27 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Tue, 30 Apr 2019 19:49:45 +0200 +Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering. + +--- + gpg-key2ps/gpg-key2ps | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/gpg-key2ps/gpg-key2ps ++++ b/gpg-key2ps/gpg-key2ps +@@ -10,6 +10,7 @@ + # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $ + + use strict; ++use Encode (); + use Getopt::Long; + + my $version = '$Rev: 882 $'; +@@ -269,7 +270,7 @@ while(<GPG>) { + } + # user ids + s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; +- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; ++ $_ = Encode::encode("latin1", Encode::decode_utf8($_)); + s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; + # revoked user id + if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) { diff -Nru signing-party-2.5/debian/patches/series signing-party-2.5/debian/patches/series --- signing-party-2.5/debian/patches/series 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/patches/series 2019-05-01 12:55:42.000000000 +0200 @@ -1 +1,2 @@ gpgwrap_makefile.diff +CVE-2018-15599.diff
Attachment:
signature.asc
Description: PGP signature