Your message dated Sat, 07 Sep 2019 14:37:11 +0100 with message-id <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 9.10 point release has caused the Debian Bug report #928292, regarding stretch-pu: package signing-party/2.5-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 928292: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928292 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package signing-party/2.5-1
- From: Guilhem Moulin <guilhem@debian.org>
- Date: Wed, 1 May 2019 13:27:26 +0200
- Message-id: <20190501112726.GA3737@debian.org>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Hi there, CVE-2019-11627 was recently published for signing-party's gpg-key2ps(1). Unsafe shell call enabling shell injection via a User ID. See also #928256. However the Security Team didn't issue a DSA [0], and suggested to instead fix that via stretch-pu. I enclosed a debdiff against signing-party_2.5-1.dsc. In the fix I replaced the of use of iconv(1) with Perl's module ‘Encode.pm’ instead; it's a core module so the package doesn't need any new dependency. Cheers, -- Guilhem. [0] https://security-tracker.debian.org/tracker/CVE-2019-11627diff -Nru signing-party-2.5/debian/changelog signing-party-2.5/debian/changelog --- signing-party-2.5/debian/changelog 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/changelog 2019-05-01 12:55:42.000000000 +0200 @@ -1,3 +1,11 @@ +signing-party (2.5-1+deb9u1) stretch; urgency=medium + + * Backport security fix for CVE-2018-15599: unsafe shell call enabling shell + injection via a User ID. Use Perl's (core) module Encode.pm instead of + shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin <guilhem@debian.org> Wed, 01 May 2019 12:55:42 +0200 + signing-party (2.5-1) unstable; urgency=low * caff: diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control --- signing-party-2.5/debian/control 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/control 2019-05-01 12:55:42.000000000 +0200 @@ -1,7 +1,7 @@ Source: signing-party Section: misc Priority: extra -Maintainer: Guilhem Moulin <guilhem@guilhem.org> +Maintainer: Guilhem Moulin <guilhem@debian.org> Uploaders: Simon Richter <sjr@debian.org> Build-Depends: debhelper (>= 9), python, dh-python, autoconf, automake, autotools-dev, diff -Nru signing-party-2.5/debian/patches/CVE-2018-15599.diff signing-party-2.5/debian/patches/CVE-2018-15599.diff --- signing-party-2.5/debian/patches/CVE-2018-15599.diff 1970-01-01 01:00:00.000000000 +0100 +++ signing-party-2.5/debian/patches/CVE-2018-15599.diff 2019-05-01 12:55:42.000000000 +0200 @@ -0,0 +1,27 @@ +From: Guilhem Moulin <guilhem@debian.org> +Date: Tue, 30 Apr 2019 19:49:45 +0200 +Subject: gpg-key2ps: Fix shell injection vulnerability in UIDs rendering. + +--- + gpg-key2ps/gpg-key2ps | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/gpg-key2ps/gpg-key2ps ++++ b/gpg-key2ps/gpg-key2ps +@@ -10,6 +10,7 @@ + # $Id: gpg-key2ps 882 2016-10-06 13:04:49Z guilhem-guest $ + + use strict; ++use Encode (); + use Getopt::Long; + + my $version = '$Rev: 882 $'; +@@ -269,7 +270,7 @@ while(<GPG>) { + } + # user ids + s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; +- $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; ++ $_ = Encode::encode("latin1", Encode::decode_utf8($_)); + s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; + # revoked user id + if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) { diff -Nru signing-party-2.5/debian/patches/series signing-party-2.5/debian/patches/series --- signing-party-2.5/debian/patches/series 2016-10-06 14:59:44.000000000 +0200 +++ signing-party-2.5/debian/patches/series 2019-05-01 12:55:42.000000000 +0200 @@ -1 +1,2 @@ gpgwrap_makefile.diff +CVE-2018-15599.diffAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 891581-done@bugs.debian.org, 906258-done@bugs.debian.org, 912367-done@bugs.debian.org, 915935-done@bugs.debian.org, 916650-done@bugs.debian.org, 922385-done@bugs.debian.org, 922930-done@bugs.debian.org, 924278-done@bugs.debian.org, 926481-done@bugs.debian.org, 928213-done@bugs.debian.org, 928271-done@bugs.debian.org, 928276-done@bugs.debian.org, 928292-done@bugs.debian.org, 928553-done@bugs.debian.org, 928556-done@bugs.debian.org, 928718-done@bugs.debian.org, 929246-done@bugs.debian.org, 929255-done@bugs.debian.org, 929257-done@bugs.debian.org, 929611-done@bugs.debian.org, 929613-done@bugs.debian.org, 930112-done@bugs.debian.org, 930123-done@bugs.debian.org, 930420-done@bugs.debian.org, 930438-done@bugs.debian.org, 930630-done@bugs.debian.org, 931350-done@bugs.debian.org, 931386-done@bugs.debian.org, 931610-done@bugs.debian.org, 931723-done@bugs.debian.org, 931968-done@bugs.debian.org, 932175-done@bugs.debian.org, 932665-done@bugs.debian.org, 932944-done@bugs.debian.org, 933176-done@bugs.debian.org, 933218-done@bugs.debian.org, 933651-done@bugs.debian.org, 933653-done@bugs.debian.org, 933793-done@bugs.debian.org, 933828-done@bugs.debian.org, 933970-done@bugs.debian.org, 934342-done@bugs.debian.org, 934356-done@bugs.debian.org, 934508-done@bugs.debian.org, 934518-done@bugs.debian.org, 934688-done@bugs.debian.org, 934741-done@bugs.debian.org, 934775-done@bugs.debian.org, 934952-done@bugs.debian.org, 935158-done@bugs.debian.org, 935254-done@bugs.debian.org, 935366-done@bugs.debian.org, 935367-done@bugs.debian.org, 935368-done@bugs.debian.org, 935369-done@bugs.debian.org, 935445-done@bugs.debian.org, 935460-done@bugs.debian.org, 935473-done@bugs.debian.org, 935481-done@bugs.debian.org, 935581-done@bugs.debian.org, 935599-done@bugs.debian.org, 935708-done@bugs.debian.org, 935947-done@bugs.debian.org, 935976-done@bugs.debian.org, 935999-done@bugs.debian.org, 936051-done@bugs.debian.org, 936062-done@bugs.debian.org, 936067-done@bugs.debian.org, 938926-done@bugs.debian.org, 938997-done@bugs.debian.org, 939063-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 9.10 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Sep 2019 14:37:11 +0100
- Message-id: <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
Version: 9.10 Hi, The fixes referenced by each of these bugs were included in today's stretch point release (9.10). Regards, Adam
--- End Message ---