Bug#910448: mgetty: CVE-2018-16741

2018-10-06 Thread Andreas Barth 
* Salvatore Bonaccorso (car...@debian.org) [181006 21:21]:
> FTR, I think if feasible best would be to go for unstable (and thus
> buster) directly to 1.2.1, which will adress as well the other CVEs
> (which were no-dsa or unimportant).

That's the plan, yes.


Andi

Bug#910448: mgetty: CVE-2018-16741

2018-10-06 Thread Salvatore Bonaccorso 
Hi,

FTR, I think if feasible best would be to go for unstable (and thus
buster) directly to 1.2.1, which will adress as well the other CVEs
(which were no-dsa or unimportant).

Regards,
Salvatore

Bug#910448: mgetty: CVE-2018-16741

2018-10-06 Thread Salvatore Bonaccorso 
Source: mgetty
Version: 1.1.36-1
Severity: grave
Tags: patch security upstream
Control: fixed -1 1.1.36-3+deb9u1

Hi,

The following vulnerability was published for mgetty.

CVE-2018-16741[0]:
| An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c,
| the function do_activate() does not properly sanitize shell
| metacharacters to prevent command injection. It is possible to use the
| ||, , or  characters within a file created by the "faxq-helper
| activate jobid" command.

The issue was fixed in DSA-4291-1 with 1.1.36-3+deb9u1 but not yet in
unstable and for buster, thus filling an RC bug to avoid the
regression for buster.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16741

Regards,
Salvatore