Your message dated Thu, 12 Mar 2015 09:34:24 +0000 with message-id <e1yvzvy-0000xz...@franck.debian.org> and subject line Bug#779925: fixed in grml-debootstrap 0.68.1 has caused the Debian Bug report #779925, regarding grml-debootstrap: Lacks escaping of user input to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779925 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: grml-debootstrap Version: 0.68 Severity: important grml-debootstrap lacks escaping of user input. To give an example, execution with --password '$(echo OOPS >&2)non-empty' makes grml-debootstrap execute code. Trouble characters are $ ! ` " \ . For more details please see https://github.com/grml/grml-debootstrap/issues/58 .. To my understanding, the fact that grml-debootstrap needs root permissions to be operated is the reeason why oss-security decided to not assign a CVE number, see http://thread.gmane.org/gmane.comp.security.oss.general/15483 . The bug affects all versions of grml-debootstrap (wheezy, jessie, sid). A pull request with a proposed fix hit upstream earlier today: https://github.com/grml/grml-debootstrap/pull/68 I'm filing a bug downstream, since this bug may be critical to the release of jessie. Best, Sebastian -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages grml-debootstrap depends on: ii cdebootstrap 0.5.9 ii debian-archive-keyring 2014.3~deb7u1 ii debootstrap 1.0.48+deb7u2 ii gawk 1:4.0.1+dfsg-2.1 Versions of packages grml-debootstrap recommends: ii dialog 1.1-20120215-2 ii kpartx 0.4.9+git0.4dfdaf2b-7~deb7u2 ii mksh 40.9.20120630-7 ii parted 2.3-12 ii qemu-utils 1.1.2+dfsg-6a+deb7u6 grml-debootstrap suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: grml-debootstrap Source-Version: 0.68.1 We believe that the bug you reported is fixed in the latest version of grml-debootstrap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Prokop <m...@grml.org> (supplier of updated grml-debootstrap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 10 Mar 2015 15:48:08 +0100 Source: grml-debootstrap Binary: grml-debootstrap Architecture: source all Version: 0.68.1 Distribution: unstable Urgency: medium Maintainer: Grml Team <t...@grml.org> Changed-By: Michael Prokop <m...@grml.org> Description: grml-debootstrap - wrapper around debootstrap for installing pure Debian Closes: 776502 779913 779925 780204 Changes: grml-debootstrap (0.68.1) unstable; urgency=medium . [ Michael Prokop ] * [52e9bbf] Do not stop hosts' SSH + mdadm services in cleanup procedure. Thanks to Sebastian Pipping for debugging and bug report (Closes: #779913) * [1690a3c] Define ewarn function to properly display warning messages (Closes: #780204) . [ Sebastian Pipping ] * [75c3aab] Source cmdlineopts.clp from same folder as grml-debootstrap file (Closes: #776502) [CVE-2015-1378] * [0d9be2b] Add missing escaping of user input (Closes: #779925) Checksums-Sha1: aae69fc1599c485ac7ff739cb6365facf29e4b39 1811 grml-debootstrap_0.68.1.dsc 3e68546efe0c5b1a500e08f16e08c45a2e0b08d0 150264 grml-debootstrap_0.68.1.tar.xz da261e0e30657c5f0638028124f6fbf737a34536 123036 grml-debootstrap_0.68.1_all.deb Checksums-Sha256: b6daeca1fddfcee23c6423586b15d469459355fc5a8f9b7128c0e628816b9ba4 1811 grml-debootstrap_0.68.1.dsc 9d2eb9edc707f80d0dd3ed93c23cda2ead29a4ffefa36c9c30f2a8d900690467 150264 grml-debootstrap_0.68.1.tar.xz 2b544d94c06065b85294d935823f53b98a8469fae15c349057db874cd9429391 123036 grml-debootstrap_0.68.1_all.deb Files: fcd170418138c63f9ec697460c499c0a 1811 admin optional grml-debootstrap_0.68.1.dsc bea5288986fca78df4d47cb78066c5c2 150264 admin optional grml-debootstrap_0.68.1.tar.xz 2ea565d86647926982825c2c3d8f528b 123036 admin optional grml-debootstrap_0.68.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVAUfXAAoJEJaoeHK36jc3lWsQAJW98teThnpP1z/4G2gaEixL mVc4gOxrDYXAzsPVi5hwkDgtNpt++2/VOgK2mFnWpuDr1PMPQrChGtF36OGqtXzl lop8Q21d027v0ArJYBOZxfusM2nAxm1faSQo9HmnzkyIAHDhlKo8gl2bita4vBC3 nII8JMJEo5hL6cYkky4frXT2wHIb+6zhWH7Zv95ShfwL+CvOpQhSf0lE1ckYMy2Z 3DqXkR5HhpoJvYcFAFCmGUNeYBEtj95M0DXfsos7iL63daMZkOecccj6/8luISHI 78YkBBJovMXmmqQeCetP6OwwT0NQxfYpECDXfuqpA2+thPpNr0CIe+6ppY5RWfRY 0b79bR5X3S9drhFG+IVwCT1timeiXjy2cxsbRjFMMHDtOGtVE6p8evp9QSdJwurR WeOfx3n9VzS87rF88DCX5N7Wx7ImQLTEJ7EuvhiXxjbXC4Mv10bxekczTRX4nWxl OGbVnzyk1xAHd5KPSPD5HhIsGXevdR4c3y5ebmcy5C3LaaWF8kIoYBcl9cqz/gmj UUKsnujkWx86OfWtX7hgkZAYK3BTfEjhxZ7f3LnIICKDFPHi3tuJVjaq7F3TF99t UEufSyGKAiEWgCUbdVaJF1HpPWjp0Y1v3tM1wJextCbj1kinvcsXSdz+Z7UqWU8a cTnXta4QqoFR3/ffJog+ =9aDD -----END PGP SIGNATURE-----
--- End Message ---
