Hello community, here is the log from the commit of package signing-party for openSUSE:Factory checked in at 2019-06-17 10:34:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/signing-party (Old) and /work/SRC/openSUSE:Factory/.signing-party.new.4811 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "signing-party" Mon Jun 17 10:34:49 2019 rev:5 rq:710221 version:2.10 Changes: -------- --- /work/SRC/openSUSE:Factory/signing-party/signing-party.changes 2019-05-03 22:47:47.119956374 +0200 +++ /work/SRC/openSUSE:Factory/.signing-party.new.4811/signing-party.changes 2019-06-17 10:34:52.833217994 +0200 @@ -1,0 +2,9 @@ +Sun Jun 9 19:40:13 UTC 2019 - Sebastian Wagner <sebix+novell....@sebix.at> + +- remove cve-2019-11627.patchm included in tarball. +- update to version 2.10-1: + * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling + shell injection via a User ID. Use Perl's (core) module Encode.pm instead + of shelling out to `iconv`. (Closes: #928256.) + +------------------------------------------------------------------- Old: ---- cve-2019-11627.patch signing-party-2.9.tar.gz New: ---- signing-party-2.10.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ signing-party.spec ++++++ --- /var/tmp/diff_new_pack.ZKpXVc/_old 2019-06-17 10:34:53.429217697 +0200 +++ /var/tmp/diff_new_pack.ZKpXVc/_new 2019-06-17 10:34:53.433217695 +0200 @@ -17,7 +17,7 @@ Name: signing-party -Version: 2.9 +Version: 2.10 Release: 0 Summary: GPG Tools License: GPL-2.0-or-later @@ -26,8 +26,6 @@ Source: http://ftp.debian.org/debian/pool/main/s/signing-party/signing-party_%{version}.orig.tar.gz#/%{name}-%{version}.tar.gz # PATCH-FIX-OPENSUSE caff-manpage.patch [bnc#722626] Patch1: caff-manpage.patch -# PATCH-FIX-UPSTREAM cve-2019-11627.patch boo#1134040 -Patch2: cve-2019-11627.patch Requires: %{_sbindir}/sendmail Requires: gpg Requires: perl @@ -85,7 +83,6 @@ %prep %setup -q -n signing-party-%{version} %patch1 -p1 -%patch2 -p1 %build %if 0%{?suse_version} > 1320 ++++++ signing-party-2.9.tar.gz -> signing-party-2.10.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/signing-party-2.9/debian/changelog new/signing-party-2.10/debian/changelog --- old/signing-party-2.9/debian/changelog 2019-03-01 15:40:38.000000000 +0100 +++ new/signing-party-2.10/debian/changelog 2019-05-01 12:22:19.000000000 +0200 @@ -1,3 +1,11 @@ +signing-party (2.10-1) unstable; urgency=high + + * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling + shell injection via a User ID. Use Perl's (core) module Encode.pm instead + of shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin <guil...@debian.org> Wed, 01 May 2019 12:21:59 +0200 + signing-party (2.9-1) unstable; urgency=medium * gpglist: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/signing-party-2.9/gpg-key2ps/gpg-key2ps new/signing-party-2.10/gpg-key2ps/gpg-key2ps --- old/signing-party-2.9/gpg-key2ps/gpg-key2ps 2019-03-01 15:40:38.000000000 +0100 +++ new/signing-party-2.10/gpg-key2ps/gpg-key2ps 2019-05-01 12:22:19.000000000 +0200 @@ -9,6 +9,7 @@ # use strict; +use Encode (); use Getopt::Long; my $version = '@@VERSION@@'; @@ -267,7 +268,7 @@ } # user ids s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge; - $_ = `echo "$_" | iconv -c -f utf-8 -t latin1`; + $_ = Encode::encode("latin1", Encode::decode_utf8($_)); s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) uid/; # revoked user id if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/ ($1) revuid/) {
