[Reportbug-maint] Bug#757190: reportbug: diff for NMU version 6.5.0+nmu1

Tue, 05 Aug 2014 23:01:20 -0700 

Package: reportbug
Version: 6.5.0
Severity: normal
Tags: patch

Hi Sandro,

Attached is the debdiff used for 6.5.0+nmu1 uploaded due to DSA-2997-1
/ CVE-2014-0479.

Regards,
Salvatore

diff -Nru reportbug-6.5.0/debian/changelog reportbug-6.5.0+nmu1/debian/changelog
--- reportbug-6.5.0/debian/changelog	2014-01-26 20:42:00.000000000 +0100
+++ reportbug-6.5.0+nmu1/debian/changelog	2014-08-03 16:03:24.000000000 +0200
@@ -1,3 +1,13 @@
+reportbug (6.5.0+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2014-0479: Arbitrary code execution in compare_versions.
+    A man-in-the-middle attacker could put shell metacharacters in the
+    version number, causing execution of code of their choice.
+    Thanks to Jakub Wilk <jw...@debian.org>
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 03 Aug 2014 16:03:15 +0200
+
 reportbug (6.5.0) unstable; urgency=low
 
   [ Sandro Tosi ]
diff -Nru reportbug-6.5.0/reportbug/checkversions.py reportbug-6.5.0+nmu1/reportbug/checkversions.py
--- reportbug-6.5.0/reportbug/checkversions.py	2014-01-26 20:42:00.000000000 +0100
+++ reportbug-6.5.0+nmu1/reportbug/checkversions.py	2014-08-03 16:02:42.000000000 +0200
@@ -37,6 +37,7 @@
 
 # needed to parse new.822
 from debian.deb822 import Deb822
+from debian import debian_support
 
 RMADISON_URL = 'http://qa.debian.org/madison.php?package=%s&text=on'
 INCOMING_URL = 'http://incoming.debian.org/'
@@ -87,13 +88,7 @@
     """Return 1 if upstream is newer than current, -1 if current is
     newer than upstream, and 0 if the same."""
     if not current or not upstream: return 0
-    rc = os.system('dpkg --compare-versions %s lt %s' % (current, upstream))
-    rc2 = os.system('dpkg --compare-versions %s gt %s' % (current, upstream))
-    if not rc:
-        return 1
-    elif not rc2:
-        return -1
-    return 0
+    return debian_support.version_compare(upstream, current)
 
 def later_version(a, b):
     if compare_versions(a, b) > 0:

_______________________________________________
Reportbug-maint mailing list
Reportbug-maint@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reportbug-maint

Reply via email to