Your message dated Sun, 26 Nov 2017 21:08:10 +0000
with message-id <[email protected]>
and subject line Bug#882222: fixed in manpages 4.14-1
has caused the Debian Bug report #882222,
regarding Document security problems with system.3 and popen.3 (argument
injection)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
882222: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882222
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: manpages-dev
Version: 4.13-3
Severity: grave
Tags: security
X-Debbugs-CC: [email protected]
Justification: more than 20 security bugs filled in other package
control: clone -1 -2
control: reaffect -2 glibc-doc
Please document the implication of system.3 and popen.3, particularly
argument injection.
Please get inspiration from ENV33-C. Do not call system()
Sugest to use execvp and please provide example of secure alternative
for both API
Note that escaping argument is not portable particularly if argument
include control char for a POSIX shell.
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Use of the system() function can result in exploitable
vulnerabilities, in the worst case allowing execution of arbitrary
system commands. Situations in which calls to system() have high risk
include the following:
When passing an unsanitized or improperly sanitized command string
originating from a tainted source
If a command is specified without a path name and the command
processor path name resolution mechanism is accessible to an attacker
If a relative path to an executable is specified and control over the
current working directory is accessible to an attacker
If the specified executable program can be spoofed by an attacker
--- End Message ---
--- Begin Message ---
Source: manpages
Source-Version: 4.14-1
We believe that the bug you reported is fixed in the latest version of
manpages, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <[email protected]> (supplier of updated manpages package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 26 Nov 2017 21:23:01 +0100
Source: manpages
Binary: manpages manpages-dev
Architecture: source
Version: 4.14-1
Distribution: unstable
Urgency: medium
Maintainer: Martin Schulze <[email protected]>
Changed-By: Dr. Tobias Quathamer <[email protected]>
Description:
manpages - Manual pages about using a GNU/Linux system
manpages-dev - Manual pages about using GNU/Linux for development
Closes: 882222
Changes:
manpages (4.14-1) unstable; urgency=medium
.
* New upstream version 4.14
- Document security problems with system.3 and popen.3. Closes: #882222
- Refresh patches
* Update d/copyright
* Use HTTPS for upstream homepage
* Update Standards-Version to 4.1.1
- Use HTTPS for d/copyright
Checksums-Sha1:
b596d253a8d7c5a1082342825fe9f5017d51acd8 1949 manpages_4.14-1.dsc
04629827f651ce3e1f301794959f400a6418cc5d 2556222 manpages_4.14.orig.tar.gz
7cc1a114517780ca83527f0cd3192cb7112a65a2 75784 manpages_4.14-1.debian.tar.xz
2255c67533cf9ad38a2d3dde71c8b02ad5008178 5497 manpages_4.14-1_amd64.buildinfo
Checksums-Sha256:
734b246c688df55bbe7f607ba06c9d3f7b26190c6a366237881a1d75a751ab83 1949
manpages_4.14-1.dsc
aeebc6b09a11e7f7bbc98f3984fe8b8b2bde9d2f5f9dcbd4348a9e0d93704238 2556222
manpages_4.14.orig.tar.gz
2699f944246273d1bf0d0b52324cfb29590c4395191ccb9213cd326fe1211eea 75784
manpages_4.14-1.debian.tar.xz
90449fc5e1d646940f9f333202e081f3e6231d9b32cb7e9fee5bf23a17376f08 5497
manpages_4.14-1_amd64.buildinfo
Files:
eadce3cd955ac3947cada5745e39964e 1949 doc standard manpages_4.14-1.dsc
82bd2d05c4d0dba5e7a90d39c9555197 2556222 doc standard manpages_4.14.orig.tar.gz
c16197d60885485fb146546afe0f2cd7 75784 doc standard
manpages_4.14-1.debian.tar.xz
f0457cf8e8de71a78e8366708821ff71 5497 doc standard
manpages_4.14-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlobIxsACgkQEwLx8Dbr
6xnFEQ//W/iKTYdCMlNZw/3bkzKM31CFMDajVLk0FT/P3b0AEr6xNRv/FHrWo6jA
FzBH91+e+FNUOfmnG25f3klXUes0JyPoX1hAbCyN34Ws0Lw+p/jFH9BMczTFg94W
zAyO1G/gBLchL9GiEOo9CQGrDEVPhAUujCfS+8yNbmo6U78Gt0Qu7wifQYP7WQtx
g6e8+VsKYwhVel78hwJYhcKD4E02EmPX7zj+4WHvw3VsqVNCmCPJTbz0sj1k6Car
BwIp1epS7TorWL6+Mr/Kn2xgXIScUfE5h9pd4+rF17haFBUXK0KssDSbL7O7fjz3
U6olVETk0BAHuVniYy0lHzEWZrlv6MOPWXz/fJPf7KEX8CJfLKvRQNBK7H13rS2P
2s+J4UpK0yJ+hVH93s8/4G5fOcX2lwqpHvNBLYWghtJPeRqR9rp7IlpXoJHbeNo1
VZPb/MLDhD6yloKZCAA0qmciwe3c4WeZ8XdbLpZSrNqogD5J97n8UjX4Io4V+r0K
6gXm+M7mCKHrKNsgSYDMl7dCtLUqvOLmLFIXqpp2bAi5l6zrNbKId9xhn2U+cesm
/mGrvo9tNgIKrMcogTWsjMiR/+GZrbjEAWtfHAdzFmEi4fzr2gKX6SypuEizhlfa
kMoWnycHmlZHHJx2W6PULqxrYI45HfMAu7DtWEXCiZlJp++OWZ4=
=XKjK
-----END PGP SIGNATURE-----
--- End Message ---
