On 2009-08-22 12:46, Ben Finney wrote:
> On 21-Aug-2009, Philipp Weis wrote:
> > Ok, I just test with a couple of file collections that I burned
> > recently, among them one with quotation marks in filenames that caused
> > me to report the problem in the first place. Everything seems fine,
> > th
On 21-Aug-2009, Philipp Weis wrote:
> Ok, I just test with a couple of file collections that I burned
> recently, among them one with quotation marks in filenames that caused
> me to report the problem in the first place. Everything seems fine,
> thank you!
Great. Was this tested all the way throu
On 2009-08-22 10:55, Ben Finney wrote:
> Acting as upstream developer for the program, I have prepared a new
> version that (among other changes) uses the ‘subprocess’ module, and
> its sanitised argument handling, for all child process interactions.
>
> This could have unforeseen effects. Could
package burn
retitle 542750 burn: should use ‘subprocess’ module for secure child process
interaction
thanks
On 19-Aug-2009, Philipp Weis wrote:
> I just discovered that burn has trouble with quotation marks in file
> names, and on a closer inspection it seems as if this actually has
> security i
On 21-Aug-2009, Moritz Muehlenhoff wrote:
> This is indeed a security issue, but not important enough to warrant
> a DSA. However, we encourage maintainers to fix such minor security
> issues through a point update.
I have taken on the upstream maintainer role for this package, and am
currently te
package burn
tags 542329 - unreproducible
thanks
On 21-Aug-2009, Philipp Weis wrote:
> Yes, the quotes are part of the filename and crucial to the exploit.
Thanks. For the record, here are the steps I use to successfully
reproduce this bug:
* Start with a known Ogg Vorbis file (in my case, ‘post
Ben Finney wrote:
> package burn
> tags 542329 + security confirmed
> assign 542329 !
> thanks
>
> On 18-Aug-2009, Philipp Weis wrote:
> > I just discovered that burn has trouble with quotation marks in file
> > names, and on a closer inspection it seems as if this actually has
> > security implic
On 2009-08-21 16:36, Ben Finney wrote:
> On 18-Aug-2009, Philipp Weis wrote:
> > For a demonstration of the problem, create a valid ogg file and name
> > it
> >
> > " | date #".ogg
>
> Are the quote characters meant to be part of the filename? I assume
> not, but I'm currently unable to repr
package burn
tags 542329 - confirmed + unreproducible moreinfo
thanks
On 18-Aug-2009, Philipp Weis wrote:
> For a demonstration of the problem, create a valid ogg file and name
> it
>
> " | date #".ogg
Are the quote characters meant to be part of the filename? I assume
not, but I'm currently u
package burn
tags 542329 + security confirmed
assign 542329 !
thanks
On 18-Aug-2009, Philipp Weis wrote:
> I just discovered that burn has trouble with quotation marks in file
> names, and on a closer inspection it seems as if this actually has
> security implications.
Thanks for the bug report;
10 matches
Mail list logo
