[Pkg-privacy-commits] [monkeysphere] 02/03: resolve http://bugs.debian.org/600304 -- do not place arbitrary/escaped user ids into the shell

Ximin Luo infinity0 at moszumanska.debian.org
Sat Aug 22 13:38:12 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch debian_0.31
in repository monkeysphere.

commit 046f107622bfffedb3109c14fd607c60e5b60cc6
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Fri Oct 15 16:47:43 2010 -0400

    resolve http://bugs.debian.org/600304 -- do not place arbitrary/escaped user ids into the shell
---
 debian/changelog           |  6 ++++++
 debian/patches/600304.diff | 13 +++++++++++++
 debian/patches/series      |  1 +
 3 files changed, 20 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index aa9b05a..b03dff7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+monkeysphere (0.31-3) unstable; urgency=high
+
+  * avoid mis-escaping uids, fixes a security issue. (Closes: #600304)
+
+ -- Daniel Kahn Gillmor <dkg at fifthhorseman.net>  Fri, 15 Oct 2010 16:46:17 -0400
+
 monkeysphere (0.31-2) unstable; urgency=low
 
   * sleep a bit in keytrans suite to ensure that at least a full second
diff --git a/debian/patches/600304.diff b/debian/patches/600304.diff
new file mode 100644
index 0000000..6588ead
--- /dev/null
+++ b/debian/patches/600304.diff
@@ -0,0 +1,13 @@
+diff --git a/src/share/ma/keys_for_user b/src/share/ma/keys_for_user
+index f48d5d3..b0c3cf5 100644
+--- a/src/share/ma/keys_for_user
++++ b/src/share/ma/keys_for_user
+@@ -44,7 +44,7 @@ export GNUPGHOME
+ # extract user IDs from authorized_user_ids file
+ IFS=$'\n'
+ for line in $(meat "$authorizedUserIDs") ; do
+-    su_monkeysphere_user ". ${SYSSHAREDIR}/common; keys_for_userid '$line'"
++    printf '%s\n' "$line" | su_monkeysphere_user ". ${SYSSHAREDIR}/common; keys_for_userid \"\$X\"" || true
+ done
+ 
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 101870b..af8e9c7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 591118.diff
+600304.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/monkeysphere.git

More information about the Pkg-privacy-commits mailing list