Your message dated Sun, 18 May 2008 01:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#448437: fixed in unp 1.0.15
has caused the Debian Bug report #448437,
regarding unp: Incomplete filename escaping
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
448437: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448437
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: unp
Version: 1.0.12
Severity: important
Tags: security
unp doesn't escape filenames properly. Try this:
touch empty
zip \`ls\`.zip empty
unp \`ls\`.zip
and it will give you a directory listing.
This means that any application using 'unp' for a generic decompression
utility might be vulnerable to a filename-based injection attack.
Maybe increase the severity level?
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
unp depends on no packages.
Versions of packages unp recommends:
ii bzip2 1.0.3-7 high-quality block-sorting file co
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: unp
Source-Version: 1.0.15
We believe that the bug you reported is fixed in the latest version of
unp, which is due to be installed in the Debian FTP archive:
unp_1.0.15.dsc
to pool/main/u/unp/unp_1.0.15.dsc
unp_1.0.15.tar.gz
to pool/main/u/unp/unp_1.0.15.tar.gz
unp_1.0.15_all.deb
to pool/main/u/unp/unp_1.0.15_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eduard Bloch <[EMAIL PROTECTED]> (supplier of updated unp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 17 May 2008 23:37:43 +0200
Source: unp
Binary: unp
Architecture: source all
Version: 1.0.15
Distribution: unstable
Urgency: medium
Maintainer: Eduard Bloch <[EMAIL PROTECTED]>
Changed-By: Eduard Bloch <[EMAIL PROTECTED]>
Description:
unp - unpack (almost) everything with one command
Closes: 318338 339695 355832 357933 448437 460159 466824
Changes:
unp (1.0.15) unstable; urgency=medium
.
* extended previous fix of 448437, reapplying corrections after alternative
detection of the filetype (closes: #448437). Also fixed ucat.
* filtering file's output to not stumble over stuff in input filenames
* disabled macunpack support, needs serious fixing (deferred)
* typo fixes ("unarchive", closes: #339695), manpage usage chapter
(closes: #355832)
* added reference to unrar-free package in user hints (that's enough
"support", the unrar command is provided via alternatives; closes: #357933)
* Added new file formats (7z, jar, war, ear, adf), based on a patch by
Philippe Coval (closes: #318338)
* updated package description (closes: #466824)
* added -av- to rar/unrar options (closes: #460159)
* debian/copyright file update
Checksums-Sha1:
ec0293d21d0c5487f51be34431d9208f1783105f 668 unp_1.0.15.dsc
2cc459746af09b939dfd7ba06f32727147654c4c 10153 unp_1.0.15.tar.gz
3a0c79ddb20aada0d8c963b1315403130ff712a9 10984 unp_1.0.15_all.deb
Checksums-Sha256:
eb485bbdac768b332e5ec8e4c694156815e37893f2d5a0d1f0a441bff3c73e55 668
unp_1.0.15.dsc
915285272297d84ad5f73f6e02c1471b3076a55ad32939e3ab48cd8b8b2365d3 10153
unp_1.0.15.tar.gz
be18f5a2cc61de3f7d1011853ecffa60a0a4f3e12ebb6839e29f9d0aa3cb6d65 10984
unp_1.0.15_all.deb
Files:
8d3ecb12f80d988f28c52875b526eee7 668 utils extra unp_1.0.15.dsc
bcf45819ac76093bba7b4a3f5b3a4bff 10153 utils extra unp_1.0.15.tar.gz
0826a2677ba6140e204f4be3adb6893d 10984 utils extra unp_1.0.15_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIL4Ms4QZIHu3wCMURAppAAJ49Ciz3L7HOPoo6KvH46V3P3HjmhACfU6jO
aBkHIWjxTOoQBwFysFzgQOM=
=Ucmr
-----END PGP SIGNATURE-----
--- End Message ---
