Bug#928292: stretch-pu: package signing-party/2.5-1

[Guilhem Moulin <guilhem@debian.org>]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1).

    Unsafe shell call enabling shell injection via a User ID.

See also #928256.  However the Security Team didn't issue a DSA [0], and
suggested to instead fix that via stretch-pu.  I enclosed a debdiff
against signing-party_2.5-1.dsc.

In the fix I replaced the of use of iconv(1) with Perl's module
‘Encode.pm’ instead; it's a core module so the package doesn't need any
new dependency.

Cheers,
-- 
Guilhem.

[0] https://security-tracker.debian.org/tracker/CVE-2019-11627

diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog
--- signing-party-2.5/debian/changelog	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/changelog	2019-05-01 12:55:42.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.5-1+deb9u1) stretch; urgency=medium
+
+  * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell
+    injection via a User ID.  Use Perl's (core) module Encode.pm instead of
+    shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 01 May 2019 12:55:42 +0200
+
 signing-party (2.5-1) unstable; urgency=low
 
   * caff:
diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control
--- signing-party-2.5/debian/control	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/control	2019-05-01 12:55:42.000000000 +0200
@@ -1,7 +1,7 @@
 Source: signing-party
 Section: misc
 Priority: extra
-Maintainer: Guilhem Moulin <guilhem@guilhem.org>
+Maintainer: Guilhem Moulin <guilhem@debian.org>
 Uploaders: Simon Richter <sjr@debian.org>
 Build-Depends: debhelper (>= 9), python, dh-python,
  autoconf, automake, autotools-dev,
diff -Nru signing-party-2.5/debian/patches/CVE-2018-15599.diff signing-party-2.5/debian/patches/CVE-2018-15599.diff
--- signing-party-2.5/debian/patches/CVE-2018-15599.diff	1970-01-01 01:00:00.000000000 +0100
+++ signing-party-2.5/debian/patches/CVE-2018-15599.diff	2019-05-01 12:55:42.000000000 +0200
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Tue, 30 Apr 2019 19:49:45 +0200
+Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+
+---
+ gpg-key2ps/gpg-key2ps |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gpg-key2ps/gpg-key2ps
++++ b/gpg-key2ps/gpg-key2ps
+@@ -10,6 +10,7 @@
+ # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $
+ 
+ use strict;
++use Encode ();
+ use Getopt::Long;
+ 
+ my $version = '$Rev: 882 $';
+@@ -269,7 +270,7 @@ while(<GPG>) {
+ 	}
+ 	# user ids
+ 	s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
+-	$_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
++	$_ = Encode::encode("latin1", Encode::decode_utf8($_));
+ 	s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) uid/;
+ 	# revoked user id
+ 	if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) revuid/) {
diff -Nru signing-party-2.5/debian/patches/series signing-party-2.5/debian/patches/series
--- signing-party-2.5/debian/patches/series	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/patches/series	2019-05-01 12:55:42.000000000 +0200
@@ -1 +1,2 @@
 gpgwrap_makefile.diff
+CVE-2018-15599.diff

Attachment: signature.asc
Description: PGP signature