Your message dated Sat, 20 Oct 2018 15:38:10 +0000 with message-id <[email protected]> and subject line Bug#905308: fixed in debian-el 37.8 has caused the Debian Bug report #905308, regarding elpa-debian-el: deb-view.el shell of bad filename to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 905308: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905308 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: elpa-debian-el Version: 37.5 File: /usr/share/emacs/site-lisp/elpa-src/debian-el-37/deb-view.el In deb-view-process, the filename is not quoted when passed to the shell in a few places, so it executes shell code on visiting a bad filename. cd /tmp touch ';echo hello >xyz;.deb' emacs -q M-: (add-to-list 'auto-mode-alist '("\.deb\\'" . deb-view-mode)) C-x C-f ;echo hello >xyz;.deb => creates file /tmp/xyz A bad filename should be unlikely, but in the interests of avoiding accidents or malice it'd be good to be safe. It looks like all remaining "(call-process shell-file-name ...)" can be call-process alone, no shell. -- System Information: Debian Release: buster/sid Architecture: i386 (i686) Kernel: Linux 4.4.0-1-686-pae (SMP w/1 CPU core) Locale: LANG=en_AU.iso88591, LC_CTYPE=en_AU.iso88591 (charmap=ISO-8859-1), LANGUAGE=en_AU:en_GB:en (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages elpa-debian-el depends on: ii bzip2 1.0.6-8.1 ii dpkg 1.19.0.5+b1 ii emacsen-common 2.0.8 ii reportbug 7.5.0 ii xz-utils 5.2.2-1.3
--- End Message ---
--- Begin Message ---Source: debian-el Source-Version: 37.8 We believe that the bug you reported is fixed in the latest version of debian-el, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. David Bremner <[email protected]> (supplier of updated debian-el package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 20 Oct 2018 12:13:04 -0300 Source: debian-el Binary: elpa-debian-el debian-el Architecture: source Version: 37.8 Distribution: unstable Urgency: medium Maintainer: Debian Emacsen team <[email protected]> Changed-By: David Bremner <[email protected]> Description: debian-el - Transition package, debian-el to elpa-debian-el elpa-debian-el - Emacs helpers specific to Debian users Closes: 623684 905308 Changes: debian-el (37.8) unstable; urgency=medium . * Do not use shell in call-process (Closes: #905308). * Use view mode for files from INFO buffer (Closes: #623684). Checksums-Sha1: 1da4b85d02301368c624bc7bbf8fd67e6d1dd9ff 1612 debian-el_37.8.dsc fa8de036534b25b3866cd46318d15e4457593f4f 54772 debian-el_37.8.tar.xz Checksums-Sha256: f0ea43ab0f56c26b7fd91587d465b1be040f69e20d53a96b21c38be94829f8e9 1612 debian-el_37.8.dsc 8f594386e404db5340d67af01df42180119e6fefca1b55f08e2d5f309b2343ec 54772 debian-el_37.8.tar.xz Files: 5aa7a7a84af4219b59fcb21ea5ff6f54 1612 lisp optional debian-el_37.8.dsc 947bf2ac7d1e8842b467eb7794d63566 54772 lisp optional debian-el_37.8.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEE3VS2dnyDRXKVCQCp8gKXHaSnniwFAlvLR0MACgkQ8gKXHaSn niyO+Av/Td6aw8ejfPTwAG2SeOcVO/R5/KINMeDOZaxJ/upqDCmeUh1VHSKfa2p6 m/lS6kfl2CQ33n4s3wKn3JBGIBX8cZWkGZ+m8WOqXktOmRPjK4l1v3ySDeT+jb8d zswh3JvGobo14e8lzo+97jBSwDnpk+v5NddTcWu12C8lo5GzSHCYZzZ/0Rmdt/NO vCkhwfelcE2bglKPxcZHQJxrhEyylCj6qVCW2kWvMdIPVhkRw1Zxx8ytzbe7sBL3 OcR4BsxuOAFPm+n3lt9skNdulS4cRLonbbhpQb2JdKwGTETD6/Rh43U2IEFfVUsL DPkPZtoF9LJkrjqDpUJ4l+W6S5cHRxL0Sw6X60V6i5rNB63c+NFx3Y6oE06WM4yd r2vGpOn3d1nuFKE9fAkFM3ytjen8V6xfohD/jErIeFcyIv1Vb3OdfjamAEQVj1Rx 3LXEtYoJU5GVh9ZvS3+NCwHunvMK1/uTxxnisr8IHhyunycUjFSnbpN7Q7cxb3Sk 0NN1Y76N =Ngk8 -----END PGP SIGNATURE-----
--- End Message ---
