Bug#928292: marked as done (stretch-pu: package signing-party/2.5-1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#928292: marked as done (stretch-pu: package signing-party/2.5-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 07 Sep 2019 13:48:36 +0000
Message-id: <[🔎] handler.928292.D928292.15678638729062.ackdone@bugs.debian.org>
Reply-to: 928292@bugs.debian.org
References: <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk> <20190501112726.GA3737@debian.org>

Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #928292,
regarding stretch-pu: package signing-party/2.5-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928292
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package signing-party/2.5-1
From: Guilhem Moulin <guilhem@debian.org>
Date: Wed, 1 May 2019 13:27:26 +0200
Message-id: <20190501112726.GA3737@debian.org>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1).

    Unsafe shell call enabling shell injection via a User ID.

See also #928256.  However the Security Team didn't issue a DSA [0], and
suggested to instead fix that via stretch-pu.  I enclosed a debdiff
against signing-party_2.5-1.dsc.

In the fix I replaced the of use of iconv(1) with Perl's module
‘Encode.pm’ instead; it's a core module so the package doesn't need any
new dependency.

Cheers,
-- 
Guilhem.

[0] https://security-tracker.debian.org/tracker/CVE-2019-11627

diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog
--- signing-party-2.5/debian/changelog	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/changelog	2019-05-01 12:55:42.000000000 +0200
@@ -1,3 +1,11 @@
+signing-party (2.5-1+deb9u1) stretch; urgency=medium
+
+  * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell
+    injection via a User ID.  Use Perl's (core) module Encode.pm instead of
+    shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Wed, 01 May 2019 12:55:42 +0200
+
 signing-party (2.5-1) unstable; urgency=low
 
   * caff:
diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control
--- signing-party-2.5/debian/control	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/control	2019-05-01 12:55:42.000000000 +0200
@@ -1,7 +1,7 @@
 Source: signing-party
 Section: misc
 Priority: extra
-Maintainer: Guilhem Moulin <guilhem@guilhem.org>
+Maintainer: Guilhem Moulin <guilhem@debian.org>
 Uploaders: Simon Richter <sjr@debian.org>
 Build-Depends: debhelper (>= 9), python, dh-python,
  autoconf, automake, autotools-dev,
diff -Nru signing-party-2.5/debian/patches/CVE-2018-15599.diff signing-party-2.5/debian/patches/CVE-2018-15599.diff
--- signing-party-2.5/debian/patches/CVE-2018-15599.diff	1970-01-01 01:00:00.000000000 +0100
+++ signing-party-2.5/debian/patches/CVE-2018-15599.diff	2019-05-01 12:55:42.000000000 +0200
@@ -0,0 +1,27 @@
+From: Guilhem Moulin <guilhem@debian.org>
+Date: Tue, 30 Apr 2019 19:49:45 +0200
+Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+
+---
+ gpg-key2ps/gpg-key2ps |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/gpg-key2ps/gpg-key2ps
++++ b/gpg-key2ps/gpg-key2ps
+@@ -10,6 +10,7 @@
+ # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $
+ 
+ use strict;
++use Encode ();
+ use Getopt::Long;
+ 
+ my $version = '$Rev: 882 $';
+@@ -269,7 +270,7 @@ while(<GPG>) {
+ 	}
+ 	# user ids
+ 	s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
+-	$_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
++	$_ = Encode::encode("latin1", Encode::decode_utf8($_));
+ 	s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) uid/;
+ 	# revoked user id
+ 	if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) revuid/) {
diff -Nru signing-party-2.5/debian/patches/series signing-party-2.5/debian/patches/series
--- signing-party-2.5/debian/patches/series	2016-10-06 14:59:44.000000000 +0200
+++ signing-party-2.5/debian/patches/series	2019-05-01 12:55:42.000000000 +0200
@@ -1 +1,2 @@
 gpgwrap_makefile.diff
+CVE-2018-15599.diff

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 891581-done@bugs.debian.org, 906258-done@bugs.debian.org, 912367-done@bugs.debian.org, 915935-done@bugs.debian.org, 916650-done@bugs.debian.org, 922385-done@bugs.debian.org, 922930-done@bugs.debian.org, 924278-done@bugs.debian.org, 926481-done@bugs.debian.org, 928213-done@bugs.debian.org, 928271-done@bugs.debian.org, 928276-done@bugs.debian.org, 928292-done@bugs.debian.org, 928553-done@bugs.debian.org, 928556-done@bugs.debian.org, 928718-done@bugs.debian.org, 929246-done@bugs.debian.org, 929255-done@bugs.debian.org, 929257-done@bugs.debian.org, 929611-done@bugs.debian.org, 929613-done@bugs.debian.org, 930112-done@bugs.debian.org, 930123-done@bugs.debian.org, 930420-done@bugs.debian.org, 930438-done@bugs.debian.org, 930630-done@bugs.debian.org, 931350-done@bugs.debian.org, 931386-done@bugs.debian.org, 931610-done@bugs.debian.org, 931723-done@bugs.debian.org, 931968-done@bugs.debian.org, 932175-done@bugs.debian.org, 932665-done@bugs.debian.org, 932944-done@bugs.debian.org, 933176-done@bugs.debian.org, 933218-done@bugs.debian.org, 933651-done@bugs.debian.org, 933653-done@bugs.debian.org, 933793-done@bugs.debian.org, 933828-done@bugs.debian.org, 933970-done@bugs.debian.org, 934342-done@bugs.debian.org, 934356-done@bugs.debian.org, 934508-done@bugs.debian.org, 934518-done@bugs.debian.org, 934688-done@bugs.debian.org, 934741-done@bugs.debian.org, 934775-done@bugs.debian.org, 934952-done@bugs.debian.org, 935158-done@bugs.debian.org, 935254-done@bugs.debian.org, 935366-done@bugs.debian.org, 935367-done@bugs.debian.org, 935368-done@bugs.debian.org, 935369-done@bugs.debian.org, 935445-done@bugs.debian.org, 935460-done@bugs.debian.org, 935473-done@bugs.debian.org, 935481-done@bugs.debian.org, 935581-done@bugs.debian.org, 935599-done@bugs.debian.org, 935708-done@bugs.debian.org, 935947-done@bugs.debian.org, 935976-done@bugs.debian.org, 935999-done@bugs.debian.org, 936051-done@bugs.debian.org, 936062-done@bugs.debian.org, 936067-done@bugs.debian.org, 938926-done@bugs.debian.org, 938997-done@bugs.debian.org, 939063-done@bugs.debian.org

Subject: Closing bugs for fixes included in 9.10 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 07 Sep 2019 14:37:11 +0100

Message-id: <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
Version: 9.10

Hi,

The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#928213: marked as done (stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1)
Next by Date: Bug#928271: marked as done (stretch-pu: package resiprocate/1.11.0~beta1-3+deb9u1)
Previous by thread: Bug#928213: marked as done (stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1)
Next by thread: Bug#928271: marked as done (stretch-pu: package resiprocate/1.11.0~beta1-3+deb9u1)
Index(es):
- Date
- Thread