Bug#928291: marked as done (unblock: signing-party/2.10-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 05 May 2019 13:36:12 +0000
with message-id <E1hNHJM-0006Yb-VJ@respighi.debian.org>
and subject line unblock signing-party
has caused the Debian Bug report #928291,
regarding unblock: signing-party/2.10-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928291
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: signing-party/2.10-1
• From: Guilhem Moulin <guilhem@debian.org>
• Date: Wed, 1 May 2019 12:46:12 +0200
• Message-id: <[🔎] 20190501104612.GA23900@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi there,

gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599:
unsafe shell call enabling shell injection via a User ID.

Debdiff between 2.9-1 and 2.10-1 attached.  (While the package is not
native we're also upstream.)  I replaced the of use of iconv(1) with
Perl's module ‘Encode.pm’ instead; it's a core module so the package
doesn't need any new dependency.

unblock signing-party/2.10-1

Thanks for considering its inclusion to Buster!
Cheers,
-- 
Guilhem.

diff -Nru signing-party-2.9/debian/changelog signing-party-2.10/debian/changelog
--- signing-party-2.9/debian/changelog	2019-03-01 15:39:40.000000000 +0100
+++ signing-party-2.10/debian/changelog	2019-05-01 12:21:59.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.10-1) unstable; urgency=high
+
+  * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
+    shell injection via a User ID.  Use Perl's (core) module Encode.pm instead
+    of shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 01 May 2019 12:21:59 +0200
+
 signing-party (2.9-1) unstable; urgency=medium
 
   * gpglist:
diff -Nru signing-party-2.9/gpg-key2ps/gpg-key2ps signing-party-2.10/gpg-key2ps/gpg-key2ps
--- signing-party-2.9/gpg-key2ps/gpg-key2ps	2019-03-01 15:40:38.000000000 +0100
+++ signing-party-2.10/gpg-key2ps/gpg-key2ps	2019-05-01 12:22:19.000000000 +0200
@@ -9,6 +9,7 @@
 #
 
 use strict;
+use Encode ();
 use Getopt::Long;
 
 my $version = '@@VERSION@@';
@@ -267,7 +268,7 @@
 	}
 	# user ids
 	s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
-	$_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
+	$_ = Encode::encode("latin1", Encode::decode_utf8($_));
 	s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) uid/;
 	# revoked user id
 	if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) revuid/) {

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 928291-done@bugs.debian.org
• Subject: unblock signing-party
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Sun, 05 May 2019 13:36:12 +0000
• Message-id: <E1hNHJM-0006Yb-VJ@respighi.debian.org>

Unblocked signing-party.

--- End Message ---