Bug#985593: marked as done (congruity has mailcap entries with quoted %-escapes)

Fri, 24 Sep 2021 08:06:13 -0700 

Your message dated Fri, 24 Sep 2021 15:03:45 +0000
with message-id <[email protected]>
and subject line Bug#985593: fixed in congruity 20-2
has caused the Debian Bug report #985593,
regarding congruity has mailcap entries with quoted %-escapes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
985593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985593
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: congruity
Version: 20-1
Tags: patch, security

Dear Maintainer,
the congruity package has mailcap entries with quoted %-escapes. That is 
considered unsafe. Proper escaping should be left to the programs using the 
entry.

This Lintian tag is triggered:
https://lintian.debian.org/tags/quoted-placeholder-in-mailcap-entry.html

See also grave bug #930908, which was recently closed because "a Lintian test 
already exists":
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930908

I'm using the "security" tag because the affected rules in combination with 
certain mail user agents (or document openers) are the cause of a shell command 
injection vulnerability.

If you need more information let me know.

Thanks,
MNZ

diff --git a/debian/mime b/debian/mime
index 010b67c..b0e7720 100644
--- a/debian/mime
+++ b/debian/mime
@@ -1,3 +1,3 @@
-application/x-easyzapper-hex; congruity '%s'
-application/x-easyzapper-upgrade;; congruity '%s'
-application/x-easyzapper-tutor; congruity '%s'
+application/x-easyzapper-hex; congruity %s
+application/x-easyzapper-upgrade; congruity %s
+application/x-easyzapper-tutor; congruity %s

--- End Message ---
--- Begin Message --- 
Source: congruity
Source-Version: 20-2
Done: Scott Talbert <[email protected]>

We believe that the bug you reported is fixed in the latest version of
congruity, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Talbert <[email protected]> (supplier of updated congruity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Sep 2021 10:44:50 -0400
Source: congruity
Architecture: source
Version: 20-2
Distribution: unstable
Urgency: medium
Maintainer: Mathieu Trudel-Lapierre <[email protected]>
Changed-By: Scott Talbert <[email protected]>
Closes: 985593
Changes:
 congruity (20-2) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * Bump debhelper from old 9 to 12.
   * Set debhelper-compat version in Build-Depends.
   * Set upstream metadata fields: Archive, Repository.
 .
   [ Scott Talbert ]
   * Remove quoting in mailcap entries (Closes: #985593)
   * Update Standards-Version to 4.6.0 (no changes needed)
   * Update debhelper-compat from 12 to 13
   * Rules-Requires-Root: no
   * Update d/watch version to 4
Checksums-Sha1:
 87f8159b56ed7d696713df09fe364a36194ea251 1944 congruity_20-2.dsc
 b9de7296f84d2f5c2bad2a31cd8060a1134e3d1e 3320 congruity_20-2.debian.tar.xz
 f870992a4a8de4194d7203237ddf9e40813e1027 6544 congruity_20-2_amd64.buildinfo
Checksums-Sha256:
 c6a8414fd6ea3982ca5d596a951b89d63bd8d00a653b164ddadaf171590ebe12 1944 
congruity_20-2.dsc
 977162291bdb75e7a94e9f1fb55249fa1ae49b0be724681648885594ce0989ff 3320 
congruity_20-2.debian.tar.xz
 b31496fb362887c5e8da16183cb777204b7400a8c476ab66594740ca65a2a669 6544 
congruity_20-2_amd64.buildinfo
Files:
 d170097fa67211dbf35f8d004efe92a6 1944 utils optional congruity_20-2.dsc
 69f3700ca492eee4623b9c96856108cf 3320 utils optional 
congruity_20-2.debian.tar.xz
 7c70c58e6bb4468ac0825fa657dd58ac 6544 utils optional 
congruity_20-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEbnQ09Yl9Q7F/zVe3U9W8ZLUjeKIFAmFN5PoPHHN3dEB0ZWNo
aWUubmV0AAoJEFPVvGS1I3iihecQAKp7f0PB3g/IURa+uFc9x2upH1+Y6bWvfEjk
4vgrDoH7rAIs/HnDteDfn4iPBIuScfDs/ZYMexCqUcvEMVHjktvyFhR/gxGFECvO
jzNq/+BLV9RV5t96MCl5AVJWKYOLMoqO+43JYdfz56YsYgfSZy+zDGKFufDsOzdL
3pzwyBhHlKXVIBtK6ztE6kybUIY2y6aOlOBro8EtgUuKiILSzbU+igC3LK7z1QD5
i9hDSABjulpij+/PLzHXAQH7GXUJPk9SMHWCp4hofMi20ZUjR34OWVT0Ra2aIdXg
nh4AI5U3l/UfpNnRVuSSWN9gAozL6DqJ0MLSBVn44k0t914kZboxq1kb2zBgSuKG
ckHaoumZ94ScBKpteg/pUtw1xBe4AfCMUpl6CRPIZy+FIu+3AWqOXzMgtSXD1MyD
LwPfZRMoX7WstY0NC4iO6pcnzH/841Pdp7Ld/nRTKRWDW/+RjVj28ExjUB1zCF7b
8GRBdxpNZn8gp3Ro/jEyCJufOy+50Mqw54WhGHXAaRz3tkP3F+imKuEmc/5V5Jaq
7JFyD2yFTcGOCuzNb1nRlNW3LzQ1shEXiaOKZHNRpJGhw7pNkRibtEcgyKyJ9S7E
zyYZtptXtObrmwqHX4b91LjVKedtDg7El3Y/rxLwgWn6E3cAV4s+u80ZU7nGrLti
1Txqxhqr
=I7ZW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to