Bug#944348: buster-pu: package schleuder/3.4.0-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear SRMs,
Schleuder in buster is affected by various problems, which I would like to fix
with this proposed update:
- Schleuder fails to recognize keywords in mails with "protected headers" and
empty subject.
(Ref: #940524)
- Schleuder is vulnerable to signature-flooded keys. GPG does not cope well
with these keys. It will either refuse to import them, or during and after
the import become so slow to be effectively unusable (while hogging CPUs).
By default keys are regularly updated from the keyservers (in order to
receive extended expiry dates, or key revocations). Any list with an
attacked key in its keyring will become practically unusable and strain the
server. This is a rather severe problem.
(Ref: #940526)
- Schleuder doesn't report an error, if the argument provided to
`refresh_keys` is not an existing list, as if the job ran successfully.
(Ref: #940527)
All of them are already fixed in unstable. The proposed version is in
use and was tested in production for the last two weeks.
I admit that this comes quite late for the upcoming point release 10.2 freeze,
and the diff is rather large, however, most changes are related to test
files. I would be very happy if this still could find its way into
10.2, but I haven't uploaded yet, awaiting your ACK. The full debdiff is
attached.
Thanks in any case for your work -- as always, highly appreciated!
Cheers,
Georg
diff -Nru schleuder-3.4.0/debian/changelog schleuder-3.4.0/debian/changelog
--- schleuder-3.4.0/debian/changelog 2019-06-21 19:05:42.000000000 +0000
+++ schleuder-3.4.0/debian/changelog 2019-11-08 10:45:22.000000000 +0000
@@ -1,3 +1,23 @@
+schleuder (3.4.0-2+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ - Extend existing patch which fixes problems related to the use of
+ "protected headers": Fix recognizing keywords in mails with protected
+ headers and empty subject. Previously, if the subject was unset,
+ keywords were not recognized and the original "protected headers" could
+ leak.
+ This approach, extending the existing patch, instead of adding a new
+ one, reduces noise and keeps the diff small, as the same part of the
+ code is targeted.
+ (Closes: #940524)
+ - Add patch to strip non-self-signatures when refreshing or fetching keys.
+ (Closes: #940526)
+ - Add patch to error out if the argument provided to `refresh_keys` is not
+ an existing list.
+ (Closes: #940527)
+
+ -- Georg Faerber <georg@debian.org> Fri, 08 Nov 2019 10:45:22 +0000
+
schleuder (3.4.0-2) unstable; urgency=medium
* debian/patches:
diff -Nru schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch
--- schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-06-21 19:05:42.000000000 +0000
+++ schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-11-08 10:45:22.000000000 +0000
@@ -1,31 +1,45 @@
-Description: Handle protected headers produced by Mutt 1.12.0
+Description: Fix various problems related to protected headers
Mutt 1.12.0, which was recently released, introduced protected headers. These
headers are just contained within the plain body of a mail produced by Mutt,
they are not further wrapped into a specifically marked MIME-part. Schleuder
fails to handle such messages, accordingly, this patch fixes this behaviour.
+
+ Further, this patch fixes recognizing keywords in mails with protected
+ headers and empty subject: Previously, if the subject was unset, keywords
+ were not recognized and the original "protected headers" could leak.
+ (Closes: #940524)
Origin: upstream
Forwarded: not-needed
-Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963
-Last-Update: 2019-06-20
+Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963 395a789a18e7e7e6b57af663ed70a51d6c7d1ba2
+Last-Update: 2019-11-08
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: schleuder/lib/schleuder/mail/message.rb
===================================================================
---- schleuder.orig/lib/schleuder/mail/message.rb
-+++ schleuder/lib/schleuder/mail/message.rb
-@@ -55,7 +55,7 @@ module Mail
+--- schleuder.orig/lib/schleuder/mail/message.rb 2019-11-08 09:29:36.739321755 +0000
++++ schleuder/lib/schleuder/mail/message.rb 2019-11-08 09:29:36.735321752 +0000
+@@ -53,13 +53,12 @@
+ # headers, which reveals protected subjects.
+ if self.subject != new.subject
new.protected_headers_subject = self.subject.dup
-
- # Delete the protected headers which might leak information.
+-
+- # Delete the protected headers which might leak information.
- if new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1"
-+ if new.parts.first && new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1"
- new.parts.shift
- end
+- new.parts.shift
+- end
end
+
++ # Delete the protected headers which might leak information.
++ if new.parts.first && new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1"
++ new.parts.shift
++ end
+
+ new
+ end
Index: schleuder/spec/fixtures/mutt_protected_headers.txt
===================================================================
---- /dev/null
-+++ schleuder/spec/fixtures/mutt_protected_headers.txt
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ schleuder/spec/fixtures/mutt_protected_headers.txt 2019-11-08 09:29:36.735321752 +0000
@@ -0,0 +1,47 @@
+From schleuder@example.org Thu Jun 13 15:19:33 2019
+Received: from 127.0.0.1 (helo=localhost.localdomain)
@@ -76,10 +90,10 @@
+--z6Eq5LdranGa6ru8--
Index: schleuder/spec/schleuder/integration/protected_headers_spec.rb
===================================================================
---- schleuder.orig/spec/schleuder/integration/protected_headers_spec.rb
-+++ schleuder/spec/schleuder/integration/protected_headers_spec.rb
-@@ -85,4 +85,26 @@ describe "protected subject" do
-
+--- schleuder.orig/spec/schleuder/integration/protected_headers_spec.rb 2019-11-08 09:29:36.739321755 +0000
++++ schleuder/spec/schleuder/integration/protected_headers_spec.rb 2019-11-08 09:29:36.735321752 +0000
+@@ -85,4 +85,65 @@
+
teardown_list_and_mailer(list)
end
+
@@ -104,4 +118,43 @@
+
+ teardown_list_and_mailer(list)
+ end
++
++ it "recognizes keywords in mails with protected headers and empty subject" do
++ list = create(:list)
++ list.subscribe("schleuder@example.org", '59C71FB38AEE22E091C78259D06350440F759BD3', true)
++ ENV['GNUPGHOME'] = list.listdir
++ mail = Mail.new
++ mail.to = list.request_address
++ mail.from = list.admins.first.email
++ gpg_opts = {
++ encrypt: true,
++ keys: {list.request_address => list.fingerprint},
++ sign: true,
++ sign_as: list.admins.first.fingerprint
++ }
++ mail.gpg(gpg_opts)
++ mail.body = "x-list-name: #{list.email}\nx-list-keys"
++ protected_headers = Mail::Part.new do
++ body "Subject: protected"
++ content_type "text/rfc822-headers; protected-headers=v1"
++ end
++ mail.add_part protected_headers
++ mail.deliver
++
++ encrypted_mail = Mail::TestMailer.deliveries.first
++ Mail::TestMailer.deliveries.clear
++
++ begin
++ Schleuder::Runner.new().run(encrypted_mail.to_s, list.request_address)
++ rescue SystemExit
++ end
++ raw = Mail::TestMailer.deliveries.first
++ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
++
++ expect(message.first_plaintext_part.body.to_s).to include("59C71FB38AEE22E091C78259D06350440F759BD3")
++ expect(message.first_plaintext_part.body.to_s).to_not include("Your message didn't contain any keywords, thus there was nothing to do.")
++
++ teardown_list_and_mailer(list)
++ end
++
end
diff -Nru schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch
--- schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch 1970-01-01 00:00:00.000000000 +0000
+++ schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch 2019-11-08 10:45:22.000000000 +0000
@@ -0,0 +1,26 @@
+Description: Show error if list for `refresh_keys` does not exist.
+Origin: <upstream>, <https://0xacab.org/schleuder/schleuder/commit/cd2e2553c7bb4feb47bad5316292a7b8c8edbe15>
+Last-Update: 2019-11-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: schleuder/lib/schleuder/cli.rb
+===================================================================
+--- schleuder.orig/lib/schleuder/cli.rb 2019-11-03 20:13:16.127752282 +0000
++++ schleuder/lib/schleuder/cli.rb 2019-11-03 20:13:16.123752314 +0000
+@@ -320,10 +320,13 @@
+ private
+
+ def work_on_lists(subj, list=nil)
+- selected_lists = if list.nil?
+- List.all
++ if list.nil?
++ selected_lists = List.all
+ else
+- List.where(email: list)
++ selected_lists = List.where(email: list)
++ if selected_lists.blank?
++ error("No list with this address exists: #{list.inspect}")
++ end
+ end
+
+ selected_lists.each do |list|
diff -Nru schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch
--- schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch 1970-01-01 00:00:00.000000000 +0000
+++ schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch 2019-11-08 10:45:22.000000000 +0000
@@ -0,0 +1,339 @@
+Description: Strip non-self-signatures when refreshing or fetching keys if possible.
+Origin: <upstream>, <https://0xacab.org/schleuder/schleuder/commit/de772c5b067a7ead8d740440fcb2860a543ce834>, <https://0xacab.org/schleuder/schleuder/commit/748013793d7b71a3b1081148aa55d220cfedfd32>
+Last-Update: 2019-11-03
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: schleuder/lib/schleuder/cli.rb
+===================================================================
+--- schleuder.orig/lib/schleuder/cli.rb 2019-11-03 19:15:19.000000000 +0000
++++ schleuder/lib/schleuder/cli.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -67,6 +67,7 @@
+
+ desc 'refresh_keys [list1@example.com]', "Refresh all keys of all list from the keyservers sequentially (one by one or on the passed list). (This is supposed to be run from cron weekly.)"
+ def refresh_keys(list=nil)
++ GPGME::Ctx.send_notice_if_gpg_does_not_know_import_filter
+ work_on_lists(:refresh_keys,list)
+ permission_notice
+ end
+@@ -324,6 +325,7 @@
+ else
+ List.where(email: list)
+ end
++
+ selected_lists.each do |list|
+ I18n.locale = list.language
+ output = list.send(subj)
+Index: schleuder/lib/schleuder/gpgme/ctx.rb
+===================================================================
+--- schleuder.orig/lib/schleuder/gpgme/ctx.rb 2019-11-03 18:33:31.852282869 +0000
++++ schleuder/lib/schleuder/gpgme/ctx.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -103,7 +103,7 @@
+ end
+
+ def refresh_key(fingerprint)
+- args = "#{keyserver_arg} --refresh-keys #{fingerprint}"
++ args = "#{keyserver_arg} #{import_filter_arg} --refresh-keys #{fingerprint}"
+ gpgerr, gpgout, exitcode = self.class.gpgcli(args)
+
+ if exitcode > 0
+@@ -136,7 +136,8 @@
+ arguments, error = fetch_key_gpg_arguments_for(input)
+ return error if error
+
+- gpgerr, gpgout, exitcode = self.class.gpgcli(arguments)
++ self.class.send_notice_if_gpg_does_not_know_import_filter
++ gpgerr, gpgout, exitcode = self.class.gpgcli("#{import_filter_arg} #{arguments}")
+
+ # Unfortunately gpg doesn't exit with code > 0 if `--fetch-key` fails.
+ if exitcode > 0 || gpgerr.grep(/ unable to fetch /).presence
+@@ -270,5 +271,25 @@
+ ""
+ end
+ end
++
++ def self.gpg_knows_import_filter?
++ sufficient_gpg_version?('2.1.15')
++ end
++
++ def import_filter_arg
++ if self.class.gpg_knows_import_filter?
++ %{ --import-filter drop-sig='sig_created_d > 0000-00-00'}
++ end
++ end
++
++ def self.send_notice_if_gpg_does_not_know_import_filter
++ if ! gpg_knows_import_filter?
++ Schleuder.logger.notify_superadmin(
++ subject: 'Schleuder installation problem',
++ message: "Your version of GnuPG is very old, please update!\n\nWith your version of GnuPG we can not protect your setup against signature flooding. Please update to at least version 2.1.15 to fix this problem. See <https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html> for details on the background."
++ )
++ ''
++ end
++ end
+ end
+ end
+Index: schleuder/spec/fixtures/openpgp-keys/public-key-with-third-party-signature.txt
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ schleuder/spec/fixtures/openpgp-keys/public-key-with-third-party-signature.txt 2019-11-03 19:21:53.632021708 +0000
+@@ -0,0 +1,41 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQENBEudENYBCADPG94KbqEUQSv3yKbn7Oh/ky0Wn0QTgeTAB/T+oP5au9I/5CnS
++/Rgd8M4k4n/g9orPDfZ1kp3G0sMphLs5XFh9rdtk4iZUVDdU20nfB1lHGMZreGfv
++mhWyYs7GlitFPHGhJUSdQ6kmxR5MjnfE8S+nXYVWkthHxaU21NIkXGyGWcTCc4ML
++8BbJAsgZt2QCWE+l4OO04GoLJtttug8a2RqAuzGHit2+yc8Zv9HAwUjexrw+KZhI
++TnTOiT4aF5XZmVJyPYAaksjKtAXbkR7nWDWi4yTTm6VFEN6Jpajk3CEqBuyFJW+Y
+++60oXjf8ktwughxiV5IJCljlDoX1BDPJXw7XABEBAAG0EGJsYWJsYSA8YmxhQGZv
++bz6JATgEEwECACIFAkudENYCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
++EOvb6JklHyQSklQH/iavy1ercHoF7VI71b9iSrRHvlYDEnwED9y3p2ZNtOiR3dBX
++6/vFErWoLnaIRSXfsUMnMtJxuxIwu0xCXmGxzzXqX1HFjZk6ofG7eajL/JC+ugAg
++0ZNsHHBrBfgaWypyO7QSZyZDlEog7Yk6/Dji1fv0RZsqKo4kF+Fc5HsUyw7yN22K
++yjCjdu+KCgnMA6D1GLG++AirWnWxQW1CCqykuzXIMy2Z040zu8q9hv/m4m+0IXuS
++eFCkcrN2taP3bY+Ynn8r2X6ZV9xhMOJ13ylqn7hCebH1QsGxfIN2mfFesrUbuLb4
++9KSr0qQBkYG81xOfBemCAJNu5pzQBGebgp9siX6JAjMEEAEIAB0WIQRZxx+ziu4i
++4JHHglnQY1BED3Wb0wUCXV0WvwAKCRDQY1BED3Wb0673EACt9iZwT6/bjK+Yl/Qb
++vlT5/DS8oOOPHo8XLBuGarET12cP+TYTLWZ9ZihlmTrNz8Nwfrgd4m0hTIyGe3z/
++eq4IoZaB9Z31EA2sr/rOqeyJ5f7kcJMdfCdG0DzYkcb/rf73aLbSeyjwn5cXeNx/
++m1aBBvp0eIccSti1cunESydkHmHePWm4dTnE85+RwDyraRg3eTOc7axTxBn0ltCS
++q29MVpwBykKKpSibbOjwlu30kazOMTMGKFo+4YEaa4t4LFkf/hpGF7/A8RrXJT4C
++d0UyEXFZz5bYy/Rj5/6AYjJDe4ET3BwvYXNoBfI5T207z34fT6DuM1Q/fVHEbxAB
++Kj92y/PYCmnIjrDT9nx82R5bxzk9aPcJgjSL1k/Ve9YaZm/8yexlUu5uBdQDW94S
++Yw13IfIBoc39qAVL43HGHfNhc4jYJhnBMe/uz80xhQhUTPABuvamj8QC/oYD+g7s
++Rq/mkVFx8acStmMt5LOdwSBWmMejSCYvfgxE/xk17R9/Ro4AaoruVy/Q9M1pfUe7
++P92g90iZIvgFLxD2UTn70y7ZbWkCAFZ7qmgdWUmGbb2PpRgZunLN5XJe+0IKOPo9
++nYgyzi4LjldW8GjZSeFZzdRl3KpMYLZFyos9myZnccozXG2iYzqQynmO+hx743xQ
++aBQ7Y5pQsHQJYsbjlz/FzopJ4rkBDQRLnRDWAQgAzHRQqv4frdtdGEH5H8imfqeP
++PdicQBSExhSBm556HkxHB/UIldc90nRq9ZF1sPrz1PSqG7AczDSIB5tHE85PN1tp
++SI3NeVL72R8m78ARtEUk+jUyCIMmvveUukxYdTFYdJEL85KhJgD8AcGuJOivFpam
++ZzsDWt90LXexU+rztNFfwwuFFc6USKvIP4B4ziuZa8FZmKWM+5M5rt1AGQ7lRJiS
++SJqaWR8doEYR8V2JZUE/pcgWKLEUNQvUEqwiaGnKG3n1otvgFquEjF+3XvE+agM1
++U4aPeTT/GQUkS/o3tu0HwjkN9yN05ncJh3w6umub51k9qOdl5pLyx17meCNNlwAR
++AQABiQEfBBgBAgAJBQJLnRDWAhsMAAoJEOvb6JklHyQSLM8H/jHFy+bb2KxMihUS
++0Rc2TOznz1gdqtUo2cHWtsFHIH6n+aF2GNvvNVIg+savCyzSTMKLTSwdivdrvQxs
++p8zx8CgWvZ32KShRV8GXW1XEI0f7oVjGnyDW9w2ZxMx+wCsWcWLYxA6uck2RRq0C
++6msCi44sQCmIaBPLpCKRWmzFg9RP4FcdM/+8pb5+D+smrzu5va8i6HB0jTixpNEO
++PuNjNCxNYNWbBpN3fNyi/wf0QvsMZS51nGLe3iQV87CoHNtD98d84YUFY57XEzsS
++Z1LQamWyzWkCdj4y5KJwPT+Pv+1afvAl6Uy5NfFzNIcz7hWz9jDzpK9UmEprcb/V
++QKfPPOk=
++=EqIC
++-----END PGP PUBLIC KEY BLOCK-----
+Index: schleuder/spec/schleuder/integration/cli_spec.rb
+===================================================================
+--- schleuder.orig/spec/schleuder/integration/cli_spec.rb 2019-11-03 18:33:31.852282869 +0000
++++ schleuder/spec/schleuder/integration/cli_spec.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -159,9 +159,8 @@
+ dirmngr_pid = `pgrep -a dirmngr | grep #{list.listdir}`.split(' ',2).first
+ expect(dirmngr_pid).to be_nil
+ end
+- mail = Mail::TestMailer.deliveries.first
++ mail = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+
+- expect(Mail::TestMailer.deliveries.length).to eq 1
+ b = mail.first_plaintext_part.body.to_s
+ expect(b).to match(/Refreshing all keys from the keyring of list #{list.email} resulted in this:\n\n/)
+ expect(b).to match(/\nThis key was updated \(new signatures\):\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo \d{4}-\d{2}-\d{2} \[expired: \d{4}-\d{2}-\d{2}\]\n/)
+@@ -181,9 +180,8 @@
+ with_sks_mock do
+ Cli.new.refresh_keys list1.email
+ end
+- mail = Mail::TestMailer.deliveries.first
++ mail = Mail::TestMailer.deliveries.find { |message| message.to == [list1.admins.first.email] }
+
+- expect(Mail::TestMailer.deliveries.length).to eq 1
+ b = mail.first_plaintext_part.body.to_s
+ expect(b).to match(/Refreshing all keys from the keyring of list #{list1.email} resulted in this:\n\n/)
+ expect(b).to match(/\nThis key was updated \(new signatures\):\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo \d{4}-\d{2}-\d{2} \[expired: \d{4}-\d{2}-\d{2}\]\n/)
+@@ -199,9 +197,8 @@
+ list.import_key(File.read("spec/fixtures/expired_key.txt"))
+
+ Cli.new.refresh_keys
+- mail = Mail::TestMailer.deliveries.first
++ mail = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+
+- expect(Mail::TestMailer.deliveries.length).to eq 1
+ expect(mail.to_s).to include("Refreshing all keys from the keyring of list #{list.email} resulted in this")
+ if GPGME::Ctx.sufficient_gpg_version?('2.1')
+ expect(mail.to_s).to include("keyserver refresh failed: No keyserver available")
+Index: schleuder/spec/schleuder/integration/keywords_spec.rb
+===================================================================
+--- schleuder.orig/spec/schleuder/integration/keywords_spec.rb 2019-11-03 18:33:31.856283673 +0000
++++ schleuder/spec/schleuder/integration/keywords_spec.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -1427,7 +1427,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num + 1)
+@@ -1463,7 +1463,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num)
+@@ -1499,7 +1499,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num + 1)
+@@ -1536,7 +1536,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num)
+@@ -1572,7 +1572,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num)
+@@ -1608,7 +1608,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num + 1)
+@@ -1644,7 +1644,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num)
+@@ -1680,7 +1680,7 @@
+ rescue SystemExit
+ end
+ end
+- raw = Mail::TestMailer.deliveries.first
++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] }
+ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup
+
+ expect(list.keys.size).to eql(list_keys_num)
+Index: schleuder/spec/schleuder/unit/gpgme_ctx.rb
+===================================================================
+--- schleuder.orig/spec/schleuder/unit/gpgme_ctx.rb 2019-11-03 18:33:31.856283673 +0000
++++ schleuder/spec/schleuder/unit/gpgme_ctx.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -227,5 +227,31 @@
+ expect(mail.to_s).to match(/gpgkeys: .* error .* connect/)
+ end
+ end
++
++ it 'does not import non-self-signatures if gpg >= 2.1.15; or else sends a warning' do
++ list = create(:list)
++ list.delete_key('87E65ED2081AE3D16BE4F0A5EBDBE899251F2412')
++ list.subscribe('admin@example.org', nil, true)
++ list.import_key(File.read('spec/fixtures/bla_foo_key.txt'))
++
++ res = ''
++ with_sks_mock do
++ res = list.gpg.refresh_keys(list.keys)
++ end
++ # GPGME apparently does not show signatures correctly in some cases, so we better use gpgcli.
++ signature_output = list.gpg.class.gpgcli(['--list-sigs', '87E65ED2081AE3D16BE4F0A5EBDBE899251F2412'])[1].grep(/0F759BD3.*schleuder@example.org/)
++
++ if GPGME::Ctx.sufficient_gpg_version?('2.1.15')
++ expect(res).to be_empty
++ expect(signature_output).to be_empty
++ else
++ message = Mail::TestMailer.deliveries.first
++ expect(message.to).to eql([Conf.superadmin])
++ expect(message.subject).to eql('Schleuder installation problem')
++ expect(res).not_to be_empty
++ expect(signature_output).not_to be_empty
++ end
++ end
++
+ end
+ end
+Index: schleuder/spec/schleuder/unit/list_spec.rb
+===================================================================
+--- schleuder.orig/spec/schleuder/unit/list_spec.rb 2019-11-03 18:33:31.856283673 +0000
++++ schleuder/spec/schleuder/unit/list_spec.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -525,6 +525,32 @@
+
+ teardown_list_and_mailer(list)
+ end
++
++ it 'does not import non-self-signatures if gpg >= 2.1.15; or else sends a warning' do
++ list = create(:list)
++ list.delete_key('87E65ED2081AE3D16BE4F0A5EBDBE899251F2412')
++ list.subscribe('admin@example.org', nil, true)
++ output = ''
++
++ with_sks_mock do
++ output = list.fetch_keys('87E65ED2081AE3D16BE4F0A5EBDBE899251F2412')
++ end
++
++ # GPGME apparently does not show signatures correctly in some cases, so we better use gpgcli.
++ signature_output = list.gpg.class.gpgcli(['--list-sigs', '87E65ED2081AE3D16BE4F0A5EBDBE899251F2412'])[1].grep(/0F759BD3.*schleuder@example.org/)
++
++ expect(output).to include("This key was fetched (new key):\n0x87E65ED2081AE3D16BE4F0A5EBDBE899251F2412 bla@foo")
++ if GPGME::Ctx.gpg_knows_import_filter?
++ expect(signature_output).to be_empty
++ else
++ message = Mail::TestMailer.deliveries.first
++ expect(message.to).to eql([Conf.superadmin])
++ expect(message.subject).to eql('Schleuder installation problem')
++ expect(signature_output).not_to be_empty
++ end
++
++ teardown_list_and_mailer(list)
++ end
+ end
+
+ describe "send_list_key_to_subscriptions" do
+Index: schleuder/spec/sks-mock.rb
+===================================================================
+--- schleuder.orig/spec/sks-mock.rb 2019-11-03 18:33:31.856283673 +0000
++++ schleuder/spec/sks-mock.rb 2019-11-03 19:21:53.632021708 +0000
+@@ -23,6 +23,8 @@
+ File.read('spec/fixtures/olduid_key_with_newuid.txt')
+ when '0x59C71FB38AEE22E091C78259D06350440F759BD3'
+ File.read('spec/fixtures/default_list_key.txt')
++ when '0x87E65ED2081AE3D16BE4F0A5EBDBE899251F2412'
++ File.read('spec/fixtures/openpgp-keys/public-key-with-third-party-signature.txt')
+ else
+ 404
+ end
+Index: schleuder/lib/schleuder/logger_notifications.rb
+===================================================================
+--- schleuder.orig/lib/schleuder/logger_notifications.rb 2019-11-03 18:33:31.852282869 +0000
++++ schleuder/lib/schleuder/logger_notifications.rb 2019-11-03 19:25:11.711883679 +0000
+@@ -18,9 +18,14 @@
+ notify_admin(string, original_message)
+ end
+
+- def notify_admin(thing, original_message=nil, subject='Error')
++ def notify_superadmin(message:, original_message: nil, subject: 'Error')
++ notify_admin(message, original_message, subject, superadmin)
++ end
++
++ def notify_admin(thing, original_message=nil, subject='Error', recipients=nil)
+ # Minimize using other classes here, we don't know what caused the error.
+ msg_parts = convert_to_msg_parts(thing, original_message)
++ recipients ||= adminaddresses
+ Array(adminaddresses).each do |address, key|
+ mail = Mail.new
+ mail.from = @from
diff -Nru schleuder-3.4.0/debian/patches/series schleuder-3.4.0/debian/patches/series
--- schleuder-3.4.0/debian/patches/series 2019-06-21 19:05:42.000000000 +0000
+++ schleuder-3.4.0/debian/patches/series 2019-11-08 10:45:22.000000000 +0000
@@ -1,3 +1,5 @@
+0019-refresh-fetch-strip-non-self-sigs.patch
+0018-refresh_keys-no-list.patch
0016-gemspec-update-sinatra.patch
0011-fix-for-activerecord-5.2.patch
0008-dirmngr-no-tor-standard-resolver.patch
Reply to: