Your message dated Sat, 01 Aug 2015 03:34:57 +0000
with message-id <e1zlnzz-0008ok...@franck.debian.org>
and subject line Bug#794260: fixed in devscripts 2.15.7
has caused the Debian Bug report #794260,
regarding devscripts: licensecheck chokes on files containing space
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
794260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794260
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: devscripts
Version: 2.15.6
Severity: grave
Tags: security patch
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On line 324 of licensecheck is executed this shell code:
file --brief --mime --dereference $file
That will fail if the input file contains space, and may do horrible
things with input files containing semicolon.
Fix is simple: Add quotes around the variable, so line 324 looks like
this:
my $mime = `file --brief --mime --dereference "$file"`;
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVu8H2AAoJECx8MUbBoAEhFwAP+wYs9y6MjavimltBk7DbMmV9
TrYB/TcAQyv9zHw4OS/qJqHUf8W7fU+WsugCnWEfKpX1zBKVT4cXYTiB9bz43ayB
eZoykVxP5xe7OTVM1m96lDjy4hUC0sK/jQ8+iPP29apWFLGAJKVGYBKn/5qDNd4v
FZpCoUuy4aFIKCCzQ/1cIhPG8K6xekiQRYqczH2tFoyAD9kN5w3ybxtuMob0SgMY
tEpqfRrxVwLJNMjae1aUa/4gwfEo1TUT94bgsAihtBKR+QE645MgBvu1duNoAR2+
9o3c1/FB+ryNFraPNkrU8P0Y81Bv5Bf2XXd/1QxZe2IatBgZZMw36nISyqnsJBeP
6esh9sI8jgnMYz5CNN+jV681vqBfU4l/ZBEpmiYs04uR0Gn/arDt5TrSQAYvPLIY
D/aR4oUqO5Pwf2zXKNHgzSU7Ubh7I4a0k3TQwq6/mTzTBcpwvZXoTwEisA7JVhsP
SOKWc+j4E8ueDFgdL6/65HaNAwi7VYcG72EHlQ5CRGsWN61ejkJcjq/LiNajIELo
IvU40b/X3D/sjf6TbgWdHUl5S5ogzJiRpLfzBfkKAoY76DqcJ21M5Z+MVk98T9yF
OjqMzCFWduQ6NsZwNQq7YLeotx8Y1qaebxEDg1QWuGf9Fh5dQQH7PAnXi26u51ZM
a5cD5Cr9fCoXidVYrJhK
=RNm9
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: devscripts
Source-Version: 2.15.7
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 794...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <james...@debian.org> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 31 Jul 2015 22:50:33 -0400
Source: devscripts
Binary: devscripts
Architecture: source
Version: 2.15.7
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>
Changed-By: James McCoy <james...@debian.org>
Closes: 794260 794263 794282
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Changes:
devscripts (2.15.7) unstable; urgency=medium
.
* licensecheck:
+ Use Dpkg::IPC to run file to avoid shell injection. (Closes: #794260)
+ Change whitelist of mime types to greylist of encodings. Restores
ability to check files with mime types like text/x-c++ and
application/postscript. Thanks to Jonas Smedegaard for the patch.
(Closes: #794282)
+ Fix an endless loop in parsing certain files. Thanks to Jonas
Smedegaard for the patch. (Closes: #794263)
Checksums-Sha1:
e1368f617e07f74cb0bcd41e6202ede27d42d784 2257 devscripts_2.15.7.dsc
4f01f5b1a9f118aebf66461adf46e0e830731f47 620100 devscripts_2.15.7.tar.xz
Checksums-Sha256:
daee3c021a6f44fe05e7568196c5eb55d34fbb6238f341a7fcf8443caa126ec5 2257
devscripts_2.15.7.dsc
7eadef203bc50612af70fb0047b5225a7f2b5fdaacd45c2df09126fcc1aed027 620100
devscripts_2.15.7.tar.xz
Files:
e5b6f0e0c29dca1b3f37f3713ec7e75a 2257 devel optional devscripts_2.15.7.dsc
1655e2c91e42cd48393c65726bc3faa9 620100 devel optional devscripts_2.15.7.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJVvDcKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbXJwQAJiTiBnnINA0iMvImKmRRxMl
8hBGGBI7+dhsoDeDAcS4z1Dg4NzkarF+kg51JbUrgOkRBNevJXheqhM+tM40xjPG
DDfXSOKTcm0MLKJlr79BevQ1wCE/xoWygTWLvChAEL6exDnjauv2vGJhFvvwwkkS
ILyJYNl50bqM56SZc3PXRdV7GDd8Az6qGFHihsSN4i0+7JIV4z4WjKd1IRg79uxs
lNvFCt+FPFhsRdYlzzLlrxDMDeC2sFHkt9cdg+3JdNojC97In2VZ02fTXCI7hA20
fvMKk+3esPhVkdv8pBGAAaKJsCaCV4kd97w9/L12sjC7pMsakiX2QVD83m5UCUKb
ETuqttftEX857+2ZMLk9o26t3HFbv7jTv1Rcs99+XVe3pzJdGYa7XwmQlP1ROZwv
xvsNGbdwoGOf8biGKdcR6jyAl5WixtgKJpD6eluOD/jcazMiI/F38sDrCaM/opYd
uMewMR3MCpuKh+fvcIPxbuj6mAULjyBOmAZyypWk4whqpslZxf+f3/LejDL7tSMo
+cUtYSrYRWmychmCrzC+czr8GtZ4epDgiuprXvSvSS95UsGzYVqLPvtB3rq/+s7i
Wy2jgMYUuz1PcnBiCom8ek8BNIl6LcX7BzDwUZwtWPoXKQp7F5QZwhqYwplYnbFG
k7dyXY+do50+JpJ2rAZB
=4pg9
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
devscripts-devel mailing list
devscripts-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
