Your message dated Sat, 20 Mar 2021 21:33:40 +0000
with message-id <[email protected]>
and subject line Bug#985594: fixed in docx2txt 1.4-5
has caused the Debian Bug report #985594,
regarding docx2txt has mailcap entries with quoted %-escapes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985594: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985594
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: docx2txt
Version: 1.4-4
Tags: patch, security
Dear Maintainer,
the docx2txt package has mailcap entries with quoted %-escapes. That is
considered unsafe. Proper escaping should be left to the programs using the
entry.
This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html
See also grave bug #930908, which was recently closed because "a Lintian test
already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908
I'm using the "security" tag because the affected rules in combination with
certain mail user agents (or document openers) are the cause of a shell command
injection vulnerability.
If you need more information let me know.
Thanks,
MNZ
diff --git a/debian/docx2txt.mime b/debian/docx2txt.mime
index 1a486de..47a9ea2 100644
--- a/debian/docx2txt.mime
+++ b/debian/docx2txt.mime
@@ -1 +1 @@
-application/vnd.openxmlformats-officedocument.wordprocessingml.document; docx2txt '%s' - ; copiousoutput; description=Office Open XML Document
+application/vnd.openxmlformats-officedocument.wordprocessingml.document; docx2txt %s - ; copiousoutput; description=Office Open XML Document
--- End Message ---
--- Begin Message ---
Source: docx2txt
Source-Version: 1.4-5
Done: Barak A. Pearlmutter <[email protected]>
We believe that the bug you reported is fixed in the latest version of
docx2txt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Barak A. Pearlmutter <[email protected]> (supplier of updated docx2txt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 20 Mar 2021 17:13:44 +0000
Source: docx2txt
Architecture: source
Version: 1.4-5
Distribution: unstable
Urgency: medium
Maintainer: Barak A. Pearlmutter <[email protected]>
Changed-By: Barak A. Pearlmutter <[email protected]>
Closes: 985594
Changes:
docx2txt (1.4-5) unstable; urgency=medium
.
* Address security issue: do not quote %s in mailcap entry (closes: #985594)
Checksums-Sha1:
3d1efaf7d10317f2ca94ac2ad841c94fa9a876b7 1826 docx2txt_1.4-5.dsc
1e24aae0b2900135b74fbc257d0a6606ca483c30 4140 docx2txt_1.4-5.debian.tar.xz
7a6b8ba46b71ce9c022988ce29aff0430fe09b09 6206 docx2txt_1.4-5_source.buildinfo
Checksums-Sha256:
0a7deb8c6094d7e2db08beccc7f85f0a696945325af72293050900852a73b64a 1826
docx2txt_1.4-5.dsc
5e748d5cf2b621ca1371d10e2afd2e1c06b52c83b8cce6a1a1883e05009628c4 4140
docx2txt_1.4-5.debian.tar.xz
982ae1249b87330da22a9e1c7c9c6ca15a040d6cab8a2502016c621a23535b30 6206
docx2txt_1.4-5_source.buildinfo
Files:
5f24e0fd39162879f4269e1f8aa54d50 1826 text optional docx2txt_1.4-5.dsc
79b93b5263029379fa645bfb7fea2a33 4140 text optional
docx2txt_1.4-5.debian.tar.xz
3159365cf2881862c36e3900aa29f87d 6206 text optional
docx2txt_1.4-5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEE+nZaz+JE7Dn2AefCmesepNIze4gFAmBWZuIPHGJhcEBkZWJp
YW4ub3JnAAoJEJnrHqTSM3uICjUP/2XXM9zUmX3N3R6h8V3gg1TV5rCzhYuERbKs
c98q+ulLCMH+X05sA/EeNbnq/JBNAG16+Ex9ZktnGQrRgO54sFdfhESnS1JrOGO2
I5IQT7MGbDdS3RW7EW/FKcaCcTX494CrU+qZ10LjZUGH5p5Hjd2+rS07rHw/JsEg
NUxpmnOvpRXQtpDYZCx1GiG1mXh8fjz14WiJuWNYwZ7JSNMZbuFN6sXRktyWvbRn
/G0UvoNalNV10vbIr1A9LZwO4FTJC5MF9x7m11jPA2LHlyJWbdjs6u/y8HfCFMV8
tAh8ytDWdMYuyot8pAyZ7smegc/azoCnKbD1ezSeDS/Zpk0T84kibORjt4DYIF3z
HR9GkCs8Zjz+22BHqGC+weiKXZVqvNQoz/Etw5ldOKif413aSp8PWC+kaMVQ+RB8
SSXuCJ4mz8Krybj/sFbCcRwfg9BnymXmv9RBjd4g+TWxklfJRHtv34jt+hOZcTaJ
2eid3BBRLPJ2M+oeJktvcTlJgZWKY6tiZvD0K/zdyZ/HiYYstrnhB80ZbgS8iTGt
pwTUnTWs8wclUU91ned8/FzeyMsEgEnfYPw2BahRy96tVOCsFSilyDvPlVOYEgHL
VvicJJT5PZ2BTHgeCFTp5CUYHOZQrVedGLB+qiqM6EHeiQwRsX4VomfpGg6CAY17
4Q2Bys6X
=bVh+
-----END PGP SIGNATURE-----
--- End Message ---
