Overview

File cve-2019-11627.patch of Package signing-party

From cd69b6c0426a6160ef3de03fce9c7f112166d5a8 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@debian.org>
Date: Tue, 30 Apr 2019 19:49:45 +0200
Subject: [PATCH] gpg-key2ps: Fix shell injection vulnerability in UIDs
 rendering.

---
 debian/changelog      | 7 +++++++
 gpg-key2ps/gpg-key2ps | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 7b071b7..26a665b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+signing-party (2.10-1) UNRELEASED; urgency=high
+
+  * gpg-key2ps: Fix shell injection vulnerability in UIDs rendering.
+    (Closes: #928256.)
+
+ -- Guilhem Moulin <guilhem@debian.org>  Tue, 30 Apr 2019 19:47:04 +0200
+
 signing-party (2.9-1) unstable; urgency=medium
 
   * gpglist:
diff --git a/gpg-key2ps/gpg-key2ps b/gpg-key2ps/gpg-key2ps
index 4d76fb4..1a67e04 100755
--- a/gpg-key2ps/gpg-key2ps
+++ b/gpg-key2ps/gpg-key2ps
@@ -9,6 +9,7 @@
 #
 
 use strict;
+use Encode ();
 use Getopt::Long;
 
 my $version = '@@VERSION@@';
@@ -267,7 +268,7 @@ while(<GPG>) {
 	}
 	# user ids
 	s/\\x(\p{AHex}{2})/ chr(hex($1)) /ge;
-	$_ = `echo "$_" | iconv -c -f utf-8 -t latin1`;
+	$_ = Encode::encode("latin1", Encode::decode_utf8($_));
 	s/^uid:[^:r]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) uid/;
 	# revoked user id
 	if (s/^uid:r[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:([^:]*):.*/	($1) revuid/) {
-- 
2.20.1
openSUSE Build Service is sponsored by
Places