[Secure-testing-team] Bug#794260: devscripts: licensecheck chokes on files containing space
Jonas Smedegaard
dr at jones.dk
Fri Jul 31 18:44:12 UTC 2015
Package: devscripts
Version: 2.15.6
Severity: grave
Tags: security patch
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On line 324 of licensecheck is executed this shell code:
file --brief --mime --dereference $file
That will fail if the input file contains space, and may do horrible
things with input files containing semicolon.
Fix is simple: Add quotes around the variable, so line 324 looks like
this:
my $mime = `file --brief --mime --dereference "$file"`;
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVu8H2AAoJECx8MUbBoAEhFwAP+wYs9y6MjavimltBk7DbMmV9
TrYB/TcAQyv9zHw4OS/qJqHUf8W7fU+WsugCnWEfKpX1zBKVT4cXYTiB9bz43ayB
eZoykVxP5xe7OTVM1m96lDjy4hUC0sK/jQ8+iPP29apWFLGAJKVGYBKn/5qDNd4v
FZpCoUuy4aFIKCCzQ/1cIhPG8K6xekiQRYqczH2tFoyAD9kN5w3ybxtuMob0SgMY
tEpqfRrxVwLJNMjae1aUa/4gwfEo1TUT94bgsAihtBKR+QE645MgBvu1duNoAR2+
9o3c1/FB+ryNFraPNkrU8P0Y81Bv5Bf2XXd/1QxZe2IatBgZZMw36nISyqnsJBeP
6esh9sI8jgnMYz5CNN+jV681vqBfU4l/ZBEpmiYs04uR0Gn/arDt5TrSQAYvPLIY
D/aR4oUqO5Pwf2zXKNHgzSU7Ubh7I4a0k3TQwq6/mTzTBcpwvZXoTwEisA7JVhsP
SOKWc+j4E8ueDFgdL6/65HaNAwi7VYcG72EHlQ5CRGsWN61ejkJcjq/LiNajIELo
IvU40b/X3D/sjf6TbgWdHUl5S5ogzJiRpLfzBfkKAoY76DqcJ21M5Z+MVk98T9yF
OjqMzCFWduQ6NsZwNQq7YLeotx8Y1qaebxEDg1QWuGf9Fh5dQQH7PAnXi26u51ZM
a5cD5Cr9fCoXidVYrJhK
=RNm9
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list