Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 1022860@bugs.debian.org
Subject: Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
From: Jérôme Charaoui <jerome@riseup.net>
Date: Thu, 27 Oct 2022 07:25:19 -0400
Message-id: <[🔎] 4d232cbb-c301-eff5-b9e5-78d7f8aba77d@riseup.net>
Reply-to: Jérôme Charaoui <jerome@riseup.net>, 1022860@bugs.debian.org
In-reply-to: <[🔎] Y1oIHhHSEmiIT5Yi@eldamar.lan>
References: <[🔎] 3880c0a2-2646-8095-b1fc-3c18d4abd270@riseup.net> <[🔎] Y1oIHhHSEmiIT5Yi@eldamar.lan> <[🔎] 3880c0a2-2646-8095-b1fc-3c18d4abd270@riseup.net>

Le 2022-10-27 à 00 h 25, Salvatore Bonaccorso a écrit :

On Wed, Oct 26, 2022 at 11:05:05PM -0400, Jérôme Charaoui wrote:

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
I would like to upload powerline-gitstatus to stable to fix CVE-2022-42906.
I have consulted with the security team and they suggested we make the fix
available via the next point release.

[ Impact ]
powerline-gitstatus/1.3.1 and earlier versions are susceptible to code
execution via malicious repository. Note that the malicious repository must
be obtained other than by "git clone".

[ Tests ]
The package has no autopkgtests. It has been tested manually.

[ Risks ]
The changeset between 1.3.1 and 1.3.2 is small. The risk is low that
a new bug or security issue is introduced.

[ Checklist ]
   [x] *all* changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in (old)stable
   [x] the issue is verified as fixed in unstable

[ Changes ]
The fix for CVE-2022-42906 is straightforward: it simply appends the
argument "-C core.fsmonitor=" to the git command. Aside from that, a simple
program option was added (untracked_not_dirty) and the README is updated.

[Other info]
As I expect a positive response, I will be uploading the package shortly.


-- Jerome

diff -Nru powerline-gitstatus-1.3.1/debian/changelog powerline-gitstatus-1.3.2/debian/changelog
--- powerline-gitstatus-1.3.1/debian/changelog	2020-07-08 16:17:05.000000000 -0400
+++ powerline-gitstatus-1.3.2/debian/changelog	2022-10-26 22:54:03.000000000 -0400
@@ -1,3 +1,10 @@
+powerline-gitstatus (1.3.2-1+deb11u1) bullseye; urgency=medium
+
+  * New upstream version 1.3.2
+    - Fix command injection via malicious repository config (CVE-2022-42906)
+
+ -- Jérôme Charaoui <jerome@riseup.net>  Wed, 26 Oct 2022 22:54:03 -0400
+
  powerline-gitstatus (1.3.1-2) unstable; urgency=medium


The former proposed update was to just cherry-pick the needed change,
so the version number 1.3.1-2+deb11u1. But if you propose to import
1.3.2 instread, then you need to pick 1.3.2-1~deb11u1 or
1.3.2-0+deb11u1 here, to have it sorting before the version which hit
the archive as 1.3.2-1.

In fact, if you just import a new upstream version on top of the
current packaging then I would go for 1.3.2-0+deb11u1. If it is OTOH
merely a rebuild of the upper-suite version then 1.3.2-1~deb11u1.

In your case I think both of the ones is perfectly reasonable.

Thanks for the review. I've opted to import the new upstream version ontop of the bullseye packaging, so I have uploaded version 1.3.2-0+deb11u1.


-- Jerome

Reply to:

References:
- Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
  - From: Jérôme Charaoui <jerome@riseup.net>
- Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1022860: bullseye-pu: package powerline-gitstatus/1.3.2-1+deb11u1
Next by thread: Bug#1020230: marked as done (transition: qtbase-opensource-src)
Index(es):
- Date
- Thread