Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi there, gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599: unsafe shell call enabling shell injection via a User ID. Debdiff between 2.9-1 and 2.10-1 attached. (While the package is not native we're also upstream.) I replaced the of use of iconv(1) with Perl's module ‘Encode.pm’ instead; it's a core module so the package doesn't need any new dependency. unblock signing-party/2.10-1 Thanks for considering its inclusion to Buster! Cheers, -- Guilhem.
diff -Nru signing-party-2.9/debian/changelog signing-party-2.10/debian/changelog
--- signing-party-2.9/debian/changelog 2019-03-01 15:39:40.000000000 +0100
+++ signing-party-2.10/debian/changelog 2019-05-01 12:21:59.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.10-1) unstable; urgency=high
+
+ * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
+ shell injection via a User ID. Use Perl's (core) module Encode.pm instead
+ of shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 12:21:59 +0200
+
signing-party (2.9-1) unstable; urgency=medium
* gpglist:
diff -Nru signing-party-2.9/gpg-key2ps/gpg-key2ps signing-party-2.10/gpg-key2ps/gpg-key2ps
--- signing-party-2.9/gpg-key2ps/gpg-key2ps 2019-03-01 15:40:38.000000000 +0100
+++ signing-party-2.10/gpg-key2ps/gpg-key2ps 2019-05-01 12:22:19.000000000 +0200
@@ -9,6 +9,7 @@
#
use strict;
+use Encode ();
use Getopt::Long;
my $version = '@@VERSION@@';
@@ -267,7 +268,7 @@
}
# user ids
s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
+ $_ = Encode::encode("latin1", Encode::decode_utf8($_));
s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/;
# revoked user id
if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) {
Attachment:
signature.asc
Description: PGP signature