Bug#1053373: marked as done (winff: shell injection)

Sun, 25 Feb 2024 02:09:17 -0800 

Your message dated Sun, 25 Feb 2024 10:04:49 +0000
with message-id <e1rebnj-007pj0...@fasolo.debian.org>
and subject line Bug#1053373: fixed in winff 1.6.3+dfsg-1
has caused the Debian Bug report #1053373,
regarding winff: shell injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1053373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053373
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: winff
Version: 1.5.5-9
Tags: security
WinFF doesn't correctly escape filenames that it passes to shell. If the user is tricked to convert files with malicious names, this could result in execution of arbitrary code. 

To reproduce, try converting the file created by this command:

  touch '$(cowsay pwned >&2; sleep inf).mp3'

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: winff
Source-Version: 1.6.3+dfsg-1
Done: Peter Blackman <pe...@pblackman.plus.com>

We believe that the bug you reported is fixed in the latest version of
winff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Blackman <pe...@pblackman.plus.com> (supplier of updated winff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 19 Feb 2024 13:00:00 +0000
Source: winff
Built-For-Profiles: noudeb
Architecture: source
Version: 1.6.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Pascal Packaging Team <pkg-pascal-de...@lists.alioth.debian.org>
Changed-By: Peter Blackman <pe...@pblackman.plus.com>
Closes: 1053373 1061586
Changes:
 winff (1.6.3+dfsg-1) unstable; urgency=medium
 .
   * New Upstream release (Closes: #1053373) (Closes: #1061586)
   * Drop patch adopted upstream
   * Update copyright date
Checksums-Sha1:
 d55265c3de46b30ee868b3cf9ca6ef3583488913 2242 winff_1.6.3+dfsg-1.dsc
 96844a0e3cdc6ec1789d7455974eb9dbb00fb826 2687816 winff_1.6.3+dfsg.orig.tar.xz
 649c90126b561265b6d5ec59332ad3a4e6bb7bd9 83080 winff_1.6.3+dfsg-1.debian.tar.xz
 136c7f2e07fd1aacf3e9d9f7dd7f482e4efce5f9 14274 
winff_1.6.3+dfsg-1_source.buildinfo
Checksums-Sha256:
 3d1e1b6bcdedf1c4ab8a480714de0f7ab92cf376121151db04b71ca8876465b0 2242 
winff_1.6.3+dfsg-1.dsc
 786e410b8ef24138700d64d250233738bf2a0b8809a0f20c2efe0f628dd43ae1 2687816 
winff_1.6.3+dfsg.orig.tar.xz
 3bac0a7627d979b684375e974a9468440f324ff47868e1bdec149c951dfd6e67 83080 
winff_1.6.3+dfsg-1.debian.tar.xz
 3e60ca7441351a1910ba99f681b68d0287af217446b9a421399e35a8200a4abf 14274 
winff_1.6.3+dfsg-1_source.buildinfo
Files:
 050235e0ca913e7c18b3716d4286ef09 2242 video optional winff_1.6.3+dfsg-1.dsc
 6867fb322626d5df2067d8bc5ae8fa19 2687816 video optional 
winff_1.6.3+dfsg.orig.tar.xz
 4b9f0f15fa7f4c0ad9c8506eeb1ea0ff 83080 video optional 
winff_1.6.3+dfsg-1.debian.tar.xz
 a807a6885643cf0d3bcbb612069394e2 14274 video optional 
winff_1.6.3+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmXbDpEACgkQ808JdE6f
XdmpCQ/+Od00cEalnyCxN+E5OpUn4EB0gnxQcUQsHMpJVhphMds4EEzxK/vecC48
REOVolyD+LwbEkWniRDeW2E0LCDdYbi7SuUX79Vr3aaequHt0O6l71Ii4KMglgyV
rNRTOwckMQ2esMFOhsiWcmfPPyBKJoJoWLr9PDkskX+iEYVmyqJ91tdL5cflHc+Q
kaIY1TEkPZ4xWU1UCEisNni6booOMxha7HGFfbtJh6TEchLEhW/gztHxlNvJNJeR
HYLcbvq2calb54IV91Ix0bx/VVZS0kavk3zPD46En77sZNgGU+TavKgce+tGml4K
6tp8T7NX18/sPgJ73iRn9Qw0wiH/uiUo1XfCtPBbGLXsO57AmoEayDYqyd8FYcyG
/+zmytcbqJZKNSXw+0exzc0B0OS5xibMNEwLdWCQoJqBMJtYwUOT1Jr2qaFNEGfT
V1NCmO1iqDoZWXeLPx8Hp0SwTA5jSNys7k106urgJz0sz9gZVTIF8LYSRY1W9qXs
QxiZ/z6PUWhByiejMdy2NAd/mHK2tyV1u7pWnT6wm7xRoipxvOJhtcw/jWYNJpSE
pUrtOqkBP7vHGvYQE/1hMiQkEjKOwqU9ikxIXnMu8cy4qWo9NF5eR7K406GaAvg/
Qp6H2KyMAxNbqIH1bUexmEcC9/zN+O2NK1O5v3/z/y9E7SRQgqc=
=iDJk
-----END PGP SIGNATURE-----

Attachment: pgpE9bz7SZjHx.pgp
Description: PGP signature


--- End Message ---

Reply via email to