Your message dated Sun, 05 May 2019 13:36:12 +0000 with message-id <E1hNHJM-0006Yb-VJ@respighi.debian.org> and subject line unblock signing-party has caused the Debian Bug report #928291, regarding unblock: signing-party/2.10-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 928291: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928291 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: signing-party/2.10-1
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Wed, 1 May 2019 12:46:12 +0200
- Message-id: <[🔎] 20190501104612.GA23900@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hi there, gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599: unsafe shell call enabling shell injection via a User ID. Debdiff between 2.9-1 and 2.10-1 attached. (While the package is not native we're also upstream.) I replaced the of use of iconv(1) with Perl's module ‘Encode.pm’ instead; it's a core module so the package doesn't need any new dependency. unblock signing-party/2.10-1 Thanks for considering its inclusion to Buster! Cheers, -- Guilhem.diff -Nru signing-party-2.9/debian/changelog signing-party-2.10/debian/changelog --- signing-party-2.9/debian/changelog 2019-03-01 15:39:40.000000000 +0100 +++ signing-party-2.10/debian/changelog 2019-05-01 12:21:59.000000000 +0200 @@ -1,3 +1,11 @@ +signing-party (2.10-1) unstable; urgency=high + + * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling + shell injection via a User ID. Use Perl's (core) module Encode.pm instead + of shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 12:21:59 +0200 + signing-party (2.9-1) unstable; urgency=medium * gpglist: diff -Nru signing-party-2.9/gpg-key2ps/gpg-key2ps signing-party-2.10/gpg-key2ps/gpg-key2ps --- signing-party-2.9/gpg-key2ps/gpg-key2ps 2019-03-01 15:40:38.000000000 +0100 +++ signing-party-2.10/gpg-key2ps/gpg-key2ps 2019-05-01 12:22:19.000000000 +0200 @@ -9,6 +9,7 @@ # use strict; +use Encode (); use Getopt::Long; my $version = '@@VERSION@@'; @@ -267,7 +268,7 @@ } # user ids s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; - $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; + $_ = Encode::encode("latin1", Encode::decode_utf8($_)); s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; # revoked user id if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) {Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 928291-done@bugs.debian.org
- Subject: unblock signing-party
- From: Ivo De Decker <ivodd@respighi.debian.org>
- Date: Sun, 05 May 2019 13:36:12 +0000
- Message-id: <E1hNHJM-0006Yb-VJ@respighi.debian.org>
Unblocked signing-party.
--- End Message ---