Your message dated Thu, 10 Nov 2016 22:05:21 +0000
with message-id <e1c4xtf-000b6h...@fasolo.debian.org>
and subject line Bug#827445: fixed in python3-proselint 0.7.0-1
has caused the Debian Bug report #827445,
regarding python3-proselint: Remove `shell=True` as they are a security hazard
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
827445: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827445
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-proselint
Version: 0.5.3-2
Severity: serious
Tags: security
Justification:
This a migration blocker bug, as this issue is already fixed
in upstream's unreleased master.
As said on Python's subprocess docs,
using shell=True can be a security hazard[1],
as they open the door to shell code injection.
`shell=True` could for example be removed from:
out = subprocess.check_output("proselint --version", shell=True)
subprocess.call("proselint --debug >/dev/null", shell=True)
These other examples are possibly vulnerable to shell code injection:
out = subprocess.check_output("proselint {}".format(fullpath),
shell=True)
subprocess.call("{} {}".format("open", fullpath), shell=True)
subprocess.call("proselint {} >/dev/null".format(filepath), shell=True)
These other examples could maybe use python equivalents instead?:
subprocess.call("find . -name '*.pyc' -delete", shell=True)
subprocess.call("rm -rfv proselint/cache > /dev/null && mkdir -p
{}".format(os.path.join(os.path.expanduser("~"), ".proselint")),
shell=True)
See also upstream's bug tracker [2].
[1]: https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
[2]: https://github.com/amperser/proselint/issues/395
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-proselint depends on:
ii python3-click 6.6-1
ii python3-future 0.15.2-2
ii python3-six 1.10.0-3
pn python3:any <none>
python3-proselint recommends no packages.
python3-proselint suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: python3-proselint
Source-Version: 0.7.0-1
We believe that the bug you reported is fixed in the latest version of
python3-proselint, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 827...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Víctor Cuadrado Juan <m...@viccuad.me> (supplier of updated python3-proselint
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 Nov 2016 22:18:39 +0100
Source: python3-proselint
Binary: python3-proselint
Architecture: source
Version: 0.7.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Víctor Cuadrado Juan <m...@viccuad.me>
Description:
python3-proselint - Library and command-line prose linter utility (Python 3)
Closes: 827445
Changes:
python3-proselint (0.7.0-1) unstable; urgency=medium
.
[ Víctor Cuadrado Juan ]
* New Upstream release
- Remove `shell=True` as they are a security hazard (Closes: #827445)
* Drop 0002-Make-proselint-work-on-read-only-files.patch as
it has been upstreamed
* Update d/proselint.1 manpage for v0.7.0
* Add TODO.Debian
* Run `wrap-and-sort -ast`
.
[ Mattia Rizzolo ]
* Add git-dpm tag config
* Bump debhelper compat level to 10
Checksums-Sha1:
dbd0015e70cad287def68d901d92eed191e4485b 2130 python3-proselint_0.7.0-1.dsc
3c504317f55255690c0f1bb78b6e07391c7e9452 78585
python3-proselint_0.7.0.orig.tar.gz
9da92e094df2feca0a4d9357ba4fe95b5b3e21c5 3724
python3-proselint_0.7.0-1.debian.tar.xz
Checksums-Sha256:
e46b184b871e8271c4a4099f0abb051f632651d0827ade808d6e586dff810a44 2130
python3-proselint_0.7.0-1.dsc
094d808d44bf1a60dcb1465749be5cc44f4f6c146c04bc5f28976a833786e830 78585
python3-proselint_0.7.0.orig.tar.gz
d0a4af02130c172e94652df776945c43788b1dd961c59ece1e465e981f39a537 3724
python3-proselint_0.7.0-1.debian.tar.xz
Files:
cad3375ed3151311334f43bd5703bfd8 2130 text optional
python3-proselint_0.7.0-1.dsc
d6e77707e0ba4d7c240998571a23032a 78585 text optional
python3-proselint_0.7.0.orig.tar.gz
23600e6ac76a6307c5b601eb1b331971 3724 text optional
python3-proselint_0.7.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYJOq3AAoJEDVzElWdHgZL950P/2qXhYT0EW1ReMgvZ9fDSlHU
HZ1jUmJs8A3Zh22eBwJR+/01eBMP2NKT8HKrROr0OLUt68SeHmbHuagJlzHWo14Z
Fihbdg41UN58cAAIfg2qyQxfOPKuCNzayayHg5KrbhPLkvfsDjMHETWl8qQxO9bs
FD8NL6BepZGXdaXAstDKaRs8AtGImktW0CmepWbGutn4CXQPmua6V154vHwYSLRA
HHqYbD36zxBxBKK0YMSZD8+7SRwFGBHJMWtIK4rrNmrnf/kqTx4ihQxUxwEeSk0Q
kb39XAWe9XCWa+ya4sH3y228f6jcfhL0vk10DwuFNQx5WUXWkXna2KKw2hZuRMc3
mwbkbelvA53ZAFl2CO5JiZ6AjUNbVnN6NKdXocIbtNaFZkchqjt6+FrHY/zvylev
CfFnxJlFxnLGQVKI2pFClAWjiVmauXYWmIvhuZg208FBLZN12WV1ETg9/AhbALwr
PMYnjJUmGHuKpclUBmsvITHbyABf2ExzxApSZzClKMNDgt+hOD+1z3POjZzE+sJ/
X42qUCihvmKjS4rNouds6NJQjMUxabcHNaV94RWeHrVzRMNWTG7Baq30ntdUvWtm
2CD08oXBEOuta5k0hIqGf7DHdbc2WiYtTGH/BXmhuRqxV3TLpc6aAKwObZa5MBnE
dM3QwLQB4gwr2KsyojHF
=CPC0
-----END PGP SIGNATURE-----
--- End Message ---
