Your message dated Sat, 01 Aug 2015 03:34:57 +0000 with message-id <[email protected]> and subject line Bug#794260: fixed in devscripts 2.15.7 has caused the Debian Bug report #794260, regarding devscripts: licensecheck chokes on files containing space to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 794260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: devscripts Version: 2.15.6 Severity: grave Tags: security patch Justification: user security hole -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On line 324 of licensecheck is executed this shell code: file --brief --mime --dereference $file That will fail if the input file contains space, and may do horrible things with input files containing semicolon. Fix is simple: Add quotes around the variable, so line 324 looks like this: my $mime = `file --brief --mime --dereference "$file"`; - Jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVu8H2AAoJECx8MUbBoAEhFwAP+wYs9y6MjavimltBk7DbMmV9 TrYB/TcAQyv9zHw4OS/qJqHUf8W7fU+WsugCnWEfKpX1zBKVT4cXYTiB9bz43ayB eZoykVxP5xe7OTVM1m96lDjy4hUC0sK/jQ8+iPP29apWFLGAJKVGYBKn/5qDNd4v FZpCoUuy4aFIKCCzQ/1cIhPG8K6xekiQRYqczH2tFoyAD9kN5w3ybxtuMob0SgMY tEpqfRrxVwLJNMjae1aUa/4gwfEo1TUT94bgsAihtBKR+QE645MgBvu1duNoAR2+ 9o3c1/FB+ryNFraPNkrU8P0Y81Bv5Bf2XXd/1QxZe2IatBgZZMw36nISyqnsJBeP 6esh9sI8jgnMYz5CNN+jV681vqBfU4l/ZBEpmiYs04uR0Gn/arDt5TrSQAYvPLIY D/aR4oUqO5Pwf2zXKNHgzSU7Ubh7I4a0k3TQwq6/mTzTBcpwvZXoTwEisA7JVhsP SOKWc+j4E8ueDFgdL6/65HaNAwi7VYcG72EHlQ5CRGsWN61ejkJcjq/LiNajIELo IvU40b/X3D/sjf6TbgWdHUl5S5ogzJiRpLfzBfkKAoY76DqcJ21M5Z+MVk98T9yF OjqMzCFWduQ6NsZwNQq7YLeotx8Y1qaebxEDg1QWuGf9Fh5dQQH7PAnXi26u51ZM a5cD5Cr9fCoXidVYrJhK =RNm9 -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: devscripts Source-Version: 2.15.7 We believe that the bug you reported is fixed in the latest version of devscripts, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <[email protected]> (supplier of updated devscripts package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 31 Jul 2015 22:50:33 -0400 Source: devscripts Binary: devscripts Architecture: source Version: 2.15.7 Distribution: unstable Urgency: medium Maintainer: Devscripts Devel Team <[email protected]> Changed-By: James McCoy <[email protected]> Closes: 794260 794263 794282 Description: devscripts - scripts to make the life of a Debian Package maintainer easier Changes: devscripts (2.15.7) unstable; urgency=medium . * licensecheck: + Use Dpkg::IPC to run file to avoid shell injection. (Closes: #794260) + Change whitelist of mime types to greylist of encodings. Restores ability to check files with mime types like text/x-c++ and application/postscript. Thanks to Jonas Smedegaard for the patch. (Closes: #794282) + Fix an endless loop in parsing certain files. Thanks to Jonas Smedegaard for the patch. (Closes: #794263) Checksums-Sha1: e1368f617e07f74cb0bcd41e6202ede27d42d784 2257 devscripts_2.15.7.dsc 4f01f5b1a9f118aebf66461adf46e0e830731f47 620100 devscripts_2.15.7.tar.xz Checksums-Sha256: daee3c021a6f44fe05e7568196c5eb55d34fbb6238f341a7fcf8443caa126ec5 2257 devscripts_2.15.7.dsc 7eadef203bc50612af70fb0047b5225a7f2b5fdaacd45c2df09126fcc1aed027 620100 devscripts_2.15.7.tar.xz Files: e5b6f0e0c29dca1b3f37f3713ec7e75a 2257 devel optional devscripts_2.15.7.dsc 1655e2c91e42cd48393c65726bc3faa9 620100 devel optional devscripts_2.15.7.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJVvDcKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbXJwQAJiTiBnnINA0iMvImKmRRxMl 8hBGGBI7+dhsoDeDAcS4z1Dg4NzkarF+kg51JbUrgOkRBNevJXheqhM+tM40xjPG DDfXSOKTcm0MLKJlr79BevQ1wCE/xoWygTWLvChAEL6exDnjauv2vGJhFvvwwkkS ILyJYNl50bqM56SZc3PXRdV7GDd8Az6qGFHihsSN4i0+7JIV4z4WjKd1IRg79uxs lNvFCt+FPFhsRdYlzzLlrxDMDeC2sFHkt9cdg+3JdNojC97In2VZ02fTXCI7hA20 fvMKk+3esPhVkdv8pBGAAaKJsCaCV4kd97w9/L12sjC7pMsakiX2QVD83m5UCUKb ETuqttftEX857+2ZMLk9o26t3HFbv7jTv1Rcs99+XVe3pzJdGYa7XwmQlP1ROZwv xvsNGbdwoGOf8biGKdcR6jyAl5WixtgKJpD6eluOD/jcazMiI/F38sDrCaM/opYd uMewMR3MCpuKh+fvcIPxbuj6mAULjyBOmAZyypWk4whqpslZxf+f3/LejDL7tSMo +cUtYSrYRWmychmCrzC+czr8GtZ4epDgiuprXvSvSS95UsGzYVqLPvtB3rq/+s7i Wy2jgMYUuz1PcnBiCom8ek8BNIl6LcX7BzDwUZwtWPoXKQp7F5QZwhqYwplYnbFG k7dyXY+do50+JpJ2rAZB =4pg9 -----END PGP SIGNATURE-----
--- End Message ---
