Hi Salvatore, On Wed, 01 May 2019 at 13:37:12 +0200, Salvatore Bonaccorso wrote: > On Wed, May 01, 2019 at 01:27:26PM +0200, Guilhem Moulin wrote: >> +signing-party (2.5-1+deb9u1) stretch; urgency=medium >> + >> + * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell > ^^^^^^^^^^^^^^ That would be CVE-2019-11627 > > (and as well for the patch name itself). Ooops, I got fooled by my copy-paste fu, and did the same mistake in 2.10-1… Thanks for spotting! New debdiff attached. Cheers, -- Guilhem.
diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog --- signing-party-2.5/debian/changelog 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/changelog 2019-05-01 12:55:42.000000000 +0200 @@ -1,3 +1,11 @@ +signing-party (2.5-1+deb9u1) stretch; urgency=medium + + * Backport security fix for CVE-2019-11627: unsafe shell call enabling shell + injection via a User ID. Use Perl's (core) module Encode.pm instead of + shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 12:55:42 +0200 + signing-party (2.5-1) unstable; urgency=low * caff: diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control --- signing-party-2.5/debian/control 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/control 2019-05-01 12:55:42.000000000 +0200 @@ -1,7 +1,7 @@ Source: signing-party Section: misc Priority: extra -Maintainer: Guilhem Moulin <guilhem@guilhem.org> +Maintainer: Guilhem Moulin <guilhem@debian.org> Uploaders: Simon Richter <sjr@debian.org> Build-Depends: debhelper (>= 9), python, dh-python, autoconf, automake, autotools-dev, diff -Nru signing-party-2.5/debian/patches/CVE-2019-11627.diff signing-party-2.5/debian/patches/CVE-2019-11627.diff --- signing-party-2.5/debian/patches/CVE-2019-11627.diff 1970-01-01 01:00:00.000000000 +0100 +++ signing-party-2.5/debian/patches/CVE-2019-11627.diff 2019-05-01 12:55:42.000000000 +0200 @@ -0,0 +1,27 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Tue, 30 Apr 2019 19:49:45 +0200 +Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering. + +--- + gpg-key2ps/gpg-key2ps | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/gpg-key2ps/gpg-key2ps ++++ b/gpg-key2ps/gpg-key2ps +@@ -10,6 +10,7 @@ + # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $ + + use strict; ++use Encode (); + use Getopt::Long; + + my $version = '$Rev: 882 $'; +@@ -269,7 +270,7 @@ while(<GPG>) { + } + # user ids + s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; +- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; ++ $_ = Encode::encode("latin1", Encode::decode_utf8($_)); + s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; + # revoked user id + if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) { diff -Nru signing-party-2.5/debian/patches/series signing-party-2.5/debian/patches/series --- signing-party-2.5/debian/patches/series 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/patches/series 2019-05-01 12:55:42.000000000 +0200 @@ -1 +1,2 @@ gpgwrap_makefile.diff +CVE-2019-11627.diff
Attachment:
signature.asc
Description: PGP signature