Codebase list debian-goodies / debian/latest
debmany: Fix shell injection via crafted .deb Closes: #1031267 Thanks to Jakub Wilk for reporting! Axel Beckert 1 year, 1 month ago
2 changed file(s) with 19 addition(s) and 3 deletion(s). Raw diff Collapse all Expand all
+2
-0
debian/changelog less more
33 * debmany:
44 + Fix -k option: Use "kfmclient newTab" instead of no more existing
55 "kfmclient exec" subcommand.
6 + Fix shell injection via crafted .deb. (Closes: #1031267)
7 Thanks to Jakub Wilk for reporting!
68
79 [ Debian Janitor ]
810 * Remove constraints unnecessary since buster (oldstable):
+17
-3
debmany/debmany less more
9393 else
9494 error "$*"
9595 fi
96 }
97
98 replace_percent_s_and_execute() {
99 replacement="$1"
100 shift
101 declare -a cmdarr
102 cmdarr=($@)
103 debug "cmdarr before; ${cmdarr[@]}"
104 for i in ${!cmdarr[@]}; do
105 cmdarr[$i]="${cmdarr[$i]/\%s/$replacement}"
106 done
107 debug "cmdarr after; ${cmdarr[@]}"
108 command "${cmdarr[@]}"
96109 }
97110
98111 while [ $# -gt 0 ]
376389 dpkg --fsys-tarfile "$file" | tar --wildcards -xf - $mandirs 2>/dev/null
377390 # find all manpage files
378391 manpages=`find usr -type f 2>/dev/null|sort|sed -e 's|\([^/]*\)$|\1 \1|'`
392 # | egrep -v '[\`\\${}*?;<>|]'
379393 fi
380394
381395 while true
411425 cd "$path"
412426 fi
413427 debug "Opening manpage file: "`printf "$mancmdline" "$PWD/$file"` # comment
414 eval $(printf "$mancmdline" "$PWD/$file")
428 replace_percent_s_and_execute "$PWD/$file" "$mancmdline"
415429 cd - >/dev/null
416430 else
417431 # other file (usr/share/doc)
418432 debug "Opening other file: "`printf "$othercmdline" "$PWD/$return"` # comment
419433 if [[ "$return" =~ \.gz$ ]]
420434 then
421 eval $(printf "gzip -dc $PWD/$return | $othercmdline")
435 gzip -dc "$PWD/$return" | replace_percent_s_and_execute '-' "$othercmdline"
422436 else
423 eval $(printf "$othercmdline" "$PWD/$return")
437 replace_percent_s_and_execute "$PWD/$return" "$othercmdline"
424438 fi
425439 fi
426440 else