Bug#928292: stretch-pu: package signing-party/2.5-1

[Guilhem Moulin <guilhem@debian.org>]

Hi Salvatore,

On Wed, 01 May 2019 at 13:37:12 +0200, Salvatore Bonaccorso wrote:
> On Wed, May 01, 2019 at 01:27:26PM +0200, Guilhem Moulin wrote:
>> +signing-party (2.5-1+deb9u1) stretch; urgency=medium
>> +
>> +  * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell
>                               ^^^^^^^^^^^^^^ That would be CVE-2019-11627
> 
> (and as well for the patch name itself).

Ooops, I got fooled by my copy-paste fu, and did the same mistake in
2.10-1…  Thanks for spotting!  New debdiff attached.

Cheers,
-- 
Guilhem.

diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog
--- signing-party-2.5/debian/changelog	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/changelog	2019-05-01 12:55:42.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.5-1+deb9u1) stretch; urgency=medium
+
+  * Backport security fix for CVE-2019-11627: unsafe shell call enabling shell
+    injection via a User ID.  Use Perl's (core) module Encode.pm instead of
+    shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 01 May 2019 12:55:42 +0200
+
 signing-party (2.5-1) unstable; urgency=low
 
   * caff:
diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control
--- signing-party-2.5/debian/control	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/control	2019-05-01 12:55:42.000000000 +0200
@@ -1,7 +1,7 @@
 Source: signing-party
 Section: misc
 Priority: extra
-Maintainer: Guilhem Moulin <guilhem@guilhem.org>
+Maintainer: Guilhem Moulin <guilhem@debian.org>
 Uploaders: Simon Richter <sjr@debian.org>
 Build-Depends: debhelper (>= 9), python, dh-python,
  autoconf, automake, autotools-dev,
diff -Nru signing-party-2.5/debian/patches/CVE-2019-11627.diff signing-party-2.5/debian/patches/CVE-2019-11627.diff
--- signing-party-2.5/debian/patches/CVE-2019-11627.diff	1970-01-01 01:00:00.000000000 +0100
+++ signing-party-2.5/debian/patches/CVE-2019-11627.diff	2019-05-01 12:55:42.000000000 +0200
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Tue, 30 Apr 2019 19:49:45 +0200
+Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+
+---
+ gpg-key2ps/gpg-key2ps |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gpg-key2ps/gpg-key2ps
++++ b/gpg-key2ps/gpg-key2ps
+@@ -10,6 +10,7 @@
+ # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $
+ 
+ use strict;
++use Encode ();
+ use Getopt::Long;
+ 
+ my $version = '$Rev: 882 $';
+@@ -269,7 +270,7 @@ while(<GPG>) {
+ 	}
+ 	# user ids
+ 	s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
+-	$_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
++	$_ = Encode::encode("latin1", Encode::decode_utf8($_));
+ 	s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) uid/;
+ 	# revoked user id
+ 	if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) revuid/) {
diff -Nru signing-party-2.5/debian/patches/series signing-party-2.5/debian/patches/series
--- signing-party-2.5/debian/patches/series	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/patches/series	2019-05-01 12:55:42.000000000 +0200
@@ -1 +1,2 @@
 gpgwrap_makefile.diff
+CVE-2019-11627.diff

Attachment: signature.asc
Description: PGP signature