Debian Bug report logs - #542329
burn: Quotation marks in filenames aren't handled properly.

version graph

Package: burn; Maintainer for burn is Ben Finney <ben+debian@benfinney.id.au>; Source for burn is src:burn.

Reported by: Philipp Weis <pweis@pweis.com>

Date: Wed, 19 Aug 2009 03:45:02 UTC

Owned by: Ben Finney <ben+debian@benfinney.id.au>

Severity: normal

Tags: security, upstream

Found in versions 0.4.3-2.1, burn/0.4.4-1

Fixed in versions burn/0.4.3-2.1+lenny1, burn/0.4.5-1

Done: Ben Finney <ben+debian@benfinney.id.au>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Wed, 19 Aug 2009 03:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Weis <pweis@pweis.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ben Finney <ben+debian@benfinney.id.au>. (Wed, 19 Aug 2009 03:45:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Philipp Weis <pweis@pweis.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: burn: Quotation marks in filenames aren't handled properly.
Date: Tue, 18 Aug 2009 23:42:56 -0400
[Message part 1 (text/plain, inline)]
Package: burn
Version: 0.4.4-1
Severity: normal
Tags: security

Hey there,

I just discovered that burn has trouble with quotation marks in file
names, and on a closer inspection it seems as if this actually has
security implications. I attached a tiny patch that fixes three of the
quotation problems, but there seem to be more issues like this in the
code, and I don't have the time right now to look closely at all of
them.

For a demonstration of the problem, create a valid ogg file and name
it

  " | date #".ogg

Then run burn -A -a *.ogg, and burn will happily print the current
date.

Philipp


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (600, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages burn depends on:
ii  cdrdao                      1:1.2.2-17   records CDs in Disk-At-Once (DAO) 
ii  genisoimage                 9:1.1.9-1    Creates ISO-9660 CD-ROM filesystem
ii  mpg321                      0.2.10.6     mpg123 clone that doesn't use floa
ii  python                      2.5.4-2      An interactive high-level object-o
ii  python-eyed3                0.6.17-1     Python module for id3-tags manipul
ii  python-pyao                 0.82-2.1     A Python interface to the Audio Ou
ii  python-pymad                0.5.4-3.2+b1 Python wrapper to the MPEG Audio D
ii  python-pyvorbis             1.4-2        Python interface to the Ogg Vorbis
ii  python-support              1.0.3        automated rebuilding support for P
ii  wodim                       9:1.1.9-1    command line CD/DVD writing tool

burn recommends no packages.

burn suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: checksum mismatch burn file /usr/share/pyshared/burnlib/burn.py

-- 
Philipp Weis
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Wed, 19 Aug 2009 03:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Weis <pweis@pweis.com>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Wed, 19 Aug 2009 03:54:03 GMT) Full text and rfc822 format available.

Message #10 received at 542329@bugs.debian.org (full text, mbox):

From: Philipp Weis <pweis@pweis.com>
To: 542329@bugs.debian.org
Subject: Re: burn: Quotation marks in filenames aren't handled properly.
Date: Tue, 18 Aug 2009 23:52:13 -0400
[Message part 1 (text/plain, inline)]
Attached is the mentioned patch.

-- 
Philipp Weis
[burn_shell_escape.2.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#542329; Package burn. (Thu, 20 Aug 2009 00:33:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. (Thu, 20 Aug 2009 00:33:08 GMT) Full text and rfc822 format available.

Message #15 received at 542329@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: Philipp Weis <pweis@pweis.com>, 542329@bugs.debian.org
Cc: Debian BTS control <control@bugs.debian.org>
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Thu, 20 Aug 2009 10:22:06 +1000
[Message part 1 (text/plain, inline)]
package burn
tags 542329 + security confirmed
assign 542329 !
thanks

On 18-Aug-2009, Philipp Weis wrote:
> I just discovered that burn has trouble with quotation marks in file
> names, and on a closer inspection it seems as if this actually has
> security implications.

Thanks for the bug report; you're right that this is a security issue.

> I attached a tiny patch that fixes three of the quotation problems,
> but there seem to be more issues like this in the code, and I don't
> have the time right now to look closely at all of them.

The correct fix for this will be to avoid string concatenation for
constructing command lines, and instead to use the ‘subprocess.Popen’
class for invoking subprocesses.

-- 
 \          “All good things are cheap; all bad are very dear.” —Henry |
  `\                                                     David Thoreau |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Added tag(s) confirmed. Request was from Ben Finney <ben+debian@benfinney.id.au> to control@bugs.debian.org. (Thu, 20 Aug 2009 00:33:10 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from ben@benfinney.id.au (Ben Finney) to control@bugs.debian.org. (Thu, 20 Aug 2009 00:54:03 GMT) Full text and rfc822 format available.

Owner recorded as ben@benfinney.id.au (Ben Finney). Request was from ben@benfinney.id.au (Ben Finney) to control@bugs.debian.org. (Thu, 20 Aug 2009 00:54:04 GMT) Full text and rfc822 format available.

Owner changed from ben@benfinney.id.au (Ben Finney) to Ben Finney <ben+debian@benfinney.id.au>. Request was from Ben Finney <ben+debian@benfinney.id.au> to control@bugs.debian.org. (Thu, 20 Aug 2009 03:42:04 GMT) Full text and rfc822 format available.

Bug 542329 cloned as bug 542750. Request was from ben@benfinney.id.au (Ben Finney) to control@bugs.debian.org. (Fri, 21 Aug 2009 06:24:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#542329; Package burn. (Fri, 21 Aug 2009 06:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. (Fri, 21 Aug 2009 06:45:05 GMT) Full text and rfc822 format available.

Message #30 received at 542329@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: Philipp Weis <pweis@pweis.com>, 542329@bugs.debian.org
Cc: Debian BTS control <control@bugs.debian.org>
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Fri, 21 Aug 2009 16:36:58 +1000
[Message part 1 (text/plain, inline)]
package burn
tags 542329 - confirmed + unreproducible moreinfo
thanks

On 18-Aug-2009, Philipp Weis wrote:
> For a demonstration of the problem, create a valid ogg file and name
> it
> 
>   " | date #".ogg

Are the quote characters meant to be part of the filename? I assume
not, but I'm currently unable to reproduce this behaviour.

> Then run burn -A -a *.ogg, and burn will happily print the current
> date.

Here is the series of steps I'm following:

* Start with a known Ogg Vorbis file (in my case, ‘postgresql.ogg’).

* Copy the file to a problematic filename::

    $ cp postgresql.ogg " | date #".ogg
    $ ls -1 *.ogg
     | date #.ogg
    postgresql.ogg

* Run ‘burn’ (with no disc in the drive)::

    $ burn -A -a *.ogg
    You are not superuser (root). Do you still want to continue (yes/no) [yes]?
    Burn v.0.4.4  Written by Gaetano Paolone.
    Burn until recorded, now!
    This software comes with absolutely no warranty! Use at your own risk!
    Burn is free software.
    See software updates at <URL:http://www.bigpaul.org/burn/>.

    Audio-CD...

    Audio file processing. Please wait...

    Error. Please insert a blank CD/DVD.
    […]

At what point in the procedure do you see the date get printed?

Does the program continue with the rest of the normal procedure,
recording an audio disc?

Is it necessary to actually consume a blank disc to see this reported
behaviour?

-- 
 \           “If [a technology company] has confidence in their future |
  `\      ability to innovate, the importance they place on protecting |
_o__)     their past innovations really should decline.” —Gary Barnett |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Removed tag(s) confirmed. Request was from Ben Finney <ben+debian@benfinney.id.au> to control@bugs.debian.org. (Fri, 21 Aug 2009 06:45:08 GMT) Full text and rfc822 format available.

Added tag(s) unreproducible and moreinfo. Request was from Ben Finney <ben+debian@benfinney.id.au> to control@bugs.debian.org. (Fri, 21 Aug 2009 06:45:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Fri, 21 Aug 2009 12:36:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Weis <pweis@pweis.com>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Fri, 21 Aug 2009 12:36:15 GMT) Full text and rfc822 format available.

Message #39 received at 542329@bugs.debian.org (full text, mbox):

From: Philipp Weis <pweis@pweis.com>
To: Ben Finney <ben+debian@benfinney.id.au>, 542329@bugs.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Fri, 21 Aug 2009 08:21:10 -0400

On 2009-08-21 16:36, Ben Finney <ben+debian@benfinney.id.au> wrote:
> On 18-Aug-2009, Philipp Weis wrote:
> > For a demonstration of the problem, create a valid ogg file and name
> > it
> > 
> >   " | date #".ogg
> 
> Are the quote characters meant to be part of the filename? I assume
> not, but I'm currently unable to reproduce this behaviour.

Yes, the quotes are part of the filename and crucial to the exploit.

So just use the following as your first step:

$ cp postgresql.ogg '" | date #".ogg'

No need to waste a disk for this, the date gets printed while
preparing the image.

Philipp


> > Then run burn -A -a *.ogg, and burn will happily print the current
> > date.
> 
> Here is the series of steps I'm following:
> 
> * Start with a known Ogg Vorbis file (in my case, ‘postgresql.ogg’).
> 
> * Copy the file to a problematic filename::
> 
>     $ cp postgresql.ogg " | date #".ogg
>     $ ls -1 *.ogg
>      | date #.ogg
>     postgresql.ogg
> 
> * Run ‘burn’ (with no disc in the drive)::
> 
>     $ burn -A -a *.ogg
>     You are not superuser (root). Do you still want to continue (yes/no) [yes]?
>     Burn v.0.4.4  Written by Gaetano Paolone.
>     Burn until recorded, now!
>     This software comes with absolutely no warranty! Use at your own risk!
>     Burn is free software.
>     See software updates at <URL:http://www.bigpaul.org/burn/>.
> 
>     Audio-CD...
> 
>     Audio file processing. Please wait...
> 
>     Error. Please insert a blank CD/DVD.
>     […]
> 
> At what point in the procedure do you see the date get printed?
> 
> Does the program continue with the rest of the normal procedure,
> recording an audio disc?
> 
> Is it necessary to actually consume a blank disc to see this reported
> behaviour?




Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Fri, 21 Aug 2009 17:42:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Fri, 21 Aug 2009 17:42:08 GMT) Full text and rfc822 format available.

Message #44 received at 542329@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Ben Finney <ben+debian@benfinney.id.au>, Philipp Weis <pweis@pweis.com>, 542329@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Fri, 21 Aug 2009 19:37:17 +0200
Ben Finney wrote:
> package burn
> tags 542329 + security confirmed
> assign 542329 !
> thanks
> 
> On 18-Aug-2009, Philipp Weis wrote:
> > I just discovered that burn has trouble with quotation marks in file
> > names, and on a closer inspection it seems as if this actually has
> > security implications.
> 
> Thanks for the bug report; you're right that this is a security issue.

This is indeed a security issue, but not important enough to warrant
a DSA. However, we encourage maintainers to fix such minor security
issues through a point update. To do so, please prepare an updated
package for stable and send a debdiff to debian-release@lists.debian.org
for review.

Thanks,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#542329; Package burn. (Sat, 22 Aug 2009 00:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. (Sat, 22 Aug 2009 00:45:04 GMT) Full text and rfc822 format available.

Message #49 received at 542329@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: 542329@bugs.debian.org
Cc: Debian BTS control <control@bugs.debian.org>
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Sat, 22 Aug 2009 10:38:34 +1000
[Message part 1 (text/plain, inline)]
package burn
tags 542329 - unreproducible
thanks

On 21-Aug-2009, Philipp Weis wrote:
> Yes, the quotes are part of the filename and crucial to the exploit.

Thanks. For the record, here are the steps I use to successfully
reproduce this bug:

* Start with a known Ogg Vorbis file (in my case, ‘postgresql.ogg’).

* Copy the file to a problematic filename::

    $ mv postgresql.ogg '" | date #".ogg'
    $ ls -1 *.ogg
    " | date #".ogg

* Run ‘burn’ (with no disc in the drive)::

    $ sudo burn -A -a ~/*.ogg
    Burn v.0.4.4  Written by Gaetano Paolone.
    Burn until recorded, now!
    This software comes with absolutely no warranty! Use at your own risk!
    Burn is free software.
    See software updates at <URL:http://www.bigpaul.org/burn/>.

    Audio-CD...

    Audio file processing. Please wait...


    To be burned:                   0 Mb
    Disk space needed:              0 Mb
    Media capacity:                 700 Mb
    Free disk space:                1294 Mb


    ---------------------------------------------
    Burn - Track summary
    ---------------------------------------------
    1 )     0:03 - /home/bignose/" | date #".ogg

    Total Audio-CD:  0:03

    Performing audio decoding with external decoder.
    [1/1] OGG       Processing /home/bignose/" | date #".ogg
    Fri Aug 21 23:37:35 EST 2009
    […]

-- 
 \          “Speech is conveniently located midway between thought and |
  `\        action, where it often substitutes for both.” —John Andrew |
_o__)                                  Holmes, _Wisdom in Small Doses_ |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Removed tag(s) unreproducible. Request was from Ben Finney <ben+debian@benfinney.id.au> to control@bugs.debian.org. (Sat, 22 Aug 2009 00:45:13 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 0.4.3-2.1. Request was from ben@benfinney.id.au (Ben Finney) to control@bugs.debian.org. (Sat, 22 Aug 2009 00:48:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#542329; Package burn. (Sat, 22 Aug 2009 00:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+debian@benfinney.id.au>:
Extra info received and forwarded to list. (Sat, 22 Aug 2009 00:51:07 GMT) Full text and rfc822 format available.

Message #58 received at 542329@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 542329@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Sat, 22 Aug 2009 10:48:23 +1000
[Message part 1 (text/plain, inline)]
On 21-Aug-2009, Moritz Muehlenhoff wrote:
> This is indeed a security issue, but not important enough to warrant
> a DSA. However, we encourage maintainers to fix such minor security
> issues through a point update.

I have taken on the upstream maintainer role for this package, and am
currently testing a fix for this bug in a new version.

> To do so, please prepare an updated package for stable and send a
> debdiff to debian-release@lists.debian.org for review.

Back-porting the fix will not be impossible, but will be very tedious
because of many refactoring changes in the meantime. I guess, for
exacely the same reason, it's not acceptable to submit a package of
the new upstream version?

-- 
 \      “Life does not cease to be funny when people die any more than |
  `\  it ceases to be serious when people laugh.” —George Bernard Shaw |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Sat, 22 Aug 2009 01:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+python@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Sat, 22 Aug 2009 01:03:03 GMT) Full text and rfc822 format available.

Message #63 received at 542329@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+python@benfinney.id.au>
To: Philipp Weis <pweis@pweis.com>
Cc: 542329@bugs.debian.org, 542750@bugs.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Sat, 22 Aug 2009 10:55:47 +1000
[Message part 1 (text/plain, inline)]
package burn
retitle 542750 burn: should use ‘subprocess’ module for secure child process interaction
thanks

On 19-Aug-2009, Philipp Weis wrote:
> I just discovered that burn has trouble with quotation marks in file
> names, and on a closer inspection it seems as if this actually has
> security implications. I attached a tiny patch that fixes three of
> the quotation problems, but there seem to be more issues like this
> in the code, and I don't have the time right now to look closely at
> all of them.

Acting as upstream developer for the program, I have prepared a new
version that (among other changes) uses the ‘subprocess’ module, and
its sanitised argument handling, for all child process interactions.

This could have unforeseen effects. Could you please test the upstream
0.4.5 version from <URL:http://pypi.python.org/pypi/burn/0.4.5> and
make sure it works for all your use cases?

-- 
 \       “Try to learn something about everything and everything about |
  `\                                  something.” —Thomas Henry Huxley |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Sat, 22 Aug 2009 02:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Weis <pweis@pweis.com>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Sat, 22 Aug 2009 02:15:05 GMT) Full text and rfc822 format available.

Message #68 received at 542329@bugs.debian.org (full text, mbox):

From: Philipp Weis <pweis@pweis.com>
To: Ben Finney <ben+python@benfinney.id.au>, 542329@bugs.debian.org, 542750@bugs.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Fri, 21 Aug 2009 22:07:55 -0400
[Message part 1 (text/plain, inline)]
On 2009-08-22 10:55, Ben Finney <ben+python@benfinney.id.au> wrote:
> Acting as upstream developer for the program, I have prepared a new
> version that (among other changes) uses the ‘subprocess’ module, and
> its sanitised argument handling, for all child process interactions.
> 
> This could have unforeseen effects. Could you please test the upstream
> 0.4.5 version from <URL:http://pypi.python.org/pypi/burn/0.4.5> and
> make sure it works for all your use cases?

Ok, I just test with a couple of file collections that I burned
recently, among them one with quotation marks in filenames that caused
me to report the problem in the first place. Everything seems fine,
thank you!

By the way, is the README file in that tar.gz empty intentionally?

Philipp


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Sat, 22 Aug 2009 02:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Finney <ben+python@benfinney.id.au>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Sat, 22 Aug 2009 02:54:03 GMT) Full text and rfc822 format available.

Message #73 received at 542329@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+python@benfinney.id.au>
To: Philipp Weis <pweis@pweis.com>
Cc: 542329@bugs.debian.org, 542750@bugs.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Sat, 22 Aug 2009 12:46:51 +1000
[Message part 1 (text/plain, inline)]
On 21-Aug-2009, Philipp Weis wrote:
> Ok, I just test with a couple of file collections that I burned
> recently, among them one with quotation marks in filenames that caused
> me to report the problem in the first place. Everything seems fine,
> thank you!

Great. Was this tested all the way through to burning discs? I would
very much appreciate that, if you have one you are willing to record.

> By the way, is the README file in that tar.gz empty intentionally?

Whoops, no it's not intentional. (Amusingly enough, it was caused by a
mis-use of ‘subprocess’ :-)

I've fixed the generation of that file, and uploaded version 0.4.5
again: <URL:http://pypi.python.org/pypi/burn/0.4.5>. Please download
and test that if you have the chance.

-- 
 \           “I do not believe in forgiveness as it is preached by the |
  `\        church. We do not need the forgiveness of God, but of each |
_o__)                    other and of ourselves.” —Robert G. Ingersoll |
Ben Finney <ben@benfinney.id.au>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ben Finney <ben+debian@benfinney.id.au>:
Bug#542329; Package burn. (Sat, 22 Aug 2009 03:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Weis <pweis@pweis.com>:
Extra info received and forwarded to list. Copy sent to Ben Finney <ben+debian@benfinney.id.au>. (Sat, 22 Aug 2009 03:54:05 GMT) Full text and rfc822 format available.

Message #78 received at 542329@bugs.debian.org (full text, mbox):

From: Philipp Weis <pweis@pweis.com>
To: Ben Finney <ben+python@benfinney.id.au>
Cc: 542329@bugs.debian.org, 542750@bugs.debian.org
Subject: Re: Bug#542329: burn: Quotation marks in filenames aren't handled properly.
Date: Fri, 21 Aug 2009 23:52:52 -0400
[Message part 1 (text/plain, inline)]
On 2009-08-22 12:46, Ben Finney <ben+python@benfinney.id.au> wrote:
> On 21-Aug-2009, Philipp Weis wrote:
> > Ok, I just test with a couple of file collections that I burned
> > recently, among them one with quotation marks in filenames that caused
> > me to report the problem in the first place. Everything seems fine,
> > thank you!
> 
> Great. Was this tested all the way through to burning discs? I would
> very much appreciate that, if you have one you are willing to record.

Ok, I just burned a disk with your new version, everything seems fine.

Philipp


-- 
Philipp Weis
[signature.asc (application/pgp-signature, inline)]

Removed tag(s) moreinfo. Request was from ben@benfinney.id.au (Ben Finney) to control@bugs.debian.org. (Sun, 23 Aug 2009 13:42:03 GMT) Full text and rfc822 format available.

Reply sent to Ben Finney <ben+debian@benfinney.id.au>:
You have taken responsibility. (Sun, 30 Aug 2009 14:30:22 GMT) Full text and rfc822 format available.

Notification sent to Philipp Weis <pweis@pweis.com>:
Bug acknowledged by developer. (Sun, 30 Aug 2009 14:30:22 GMT) Full text and rfc822 format available.

Message #85 received at 542329-close@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: 542329-close@bugs.debian.org
Subject: Bug#542329: fixed in burn 0.4.3-2.1+lenny1
Date: Sun, 30 Aug 2009 14:01:56 +0000
Source: burn
Source-Version: 0.4.3-2.1+lenny1

We believe that the bug you reported is fixed in the latest version of
burn, which is due to be installed in the Debian FTP archive:

burn_0.4.3-2.1+lenny1.dsc
  to pool/main/b/burn/burn_0.4.3-2.1+lenny1.dsc
burn_0.4.3-2.1+lenny1.tar.gz
  to pool/main/b/burn/burn_0.4.3-2.1+lenny1.tar.gz
burn_0.4.3-2.1+lenny1_amd64.deb
  to pool/main/b/burn/burn_0.4.3-2.1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 542329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Finney <ben+debian@benfinney.id.au> (supplier of updated burn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 Aug 2009 12:42:33 +1000
Source: burn
Binary: burn
Architecture: source amd64
Version: 0.4.3-2.1+lenny1
Distribution: stable
Urgency: high
Maintainer: Gaetano Paolone (bigpaul) <bigpaul@debian.org>
Changed-By: Ben Finney <ben+debian@benfinney.id.au>
Description: 
 burn       - Command line Data-CD, Audio-CD, ISO-CD, Copy-CD writing tool
Closes: 542329
Changes: 
 burn (0.4.3-2.1+lenny1) stable; urgency=high
 .
   * Non-maintainer upload.
   * Security fix for TEMP-0542329 burn: Insecure escaping of file names.
   * Backport fix for secure handling of child process command arguments.
     (Closes: Bug#542329)
Checksums-Sha1: 
 6038f9222c56610aae525241aed6714a784d36a5 755 burn_0.4.3-2.1+lenny1.dsc
 3d5a3cf783887025a3d69f828e690c92d305a874 47109 burn_0.4.3-2.1+lenny1.tar.gz
 82d99ceeda633a3026bd514966ae304bc91f8920 29228 burn_0.4.3-2.1+lenny1_amd64.deb
Checksums-Sha256: 
 d02da9f3abeb93a8536b7df6518ffe18b916ebfd4e92013833ae1c616ab423ae 755 burn_0.4.3-2.1+lenny1.dsc
 fb841c8563a355f56aecac7b2f6bcfd57da3965f3532771035c147e632d63bc2 47109 burn_0.4.3-2.1+lenny1.tar.gz
 bf3b2f9755b2f2afabed20c34b8ddde6a894337096d129877c35da43db892d99 29228 burn_0.4.3-2.1+lenny1_amd64.deb
Files: 
 15be6bd39aee965b68c6ad2d21396c52 755 otherosfs optional burn_0.4.3-2.1+lenny1.dsc
 8837c0d2bbe517cdcb3c4589c6c3cd24 47109 otherosfs optional burn_0.4.3-2.1+lenny1.tar.gz
 131a7e59a2a896bdec93b1b529030060 29228 otherosfs optional burn_0.4.3-2.1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqaa+4ACgkQB01zfu119ZmWdQCeNlo8ru3D246BmiMA4Egi/tIB
GewAn0CLPTkFoOg5PrJwdyAnTYBSeJ8N
=BFt3
-----END PGP SIGNATURE-----





Reply sent to Ben Finney <ben+debian@benfinney.id.au>:
You have taken responsibility. (Fri, 04 Sep 2009 19:21:32 GMT) Full text and rfc822 format available.

Notification sent to Philipp Weis <pweis@pweis.com>:
Bug acknowledged by developer. (Fri, 04 Sep 2009 19:21:33 GMT) Full text and rfc822 format available.

Message #90 received at 542329-close@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: 542329-close@bugs.debian.org
Subject: Bug#542329: fixed in burn 0.4.3-2.1+lenny1
Date: Fri, 04 Sep 2009 18:31:45 +0000
Source: burn
Source-Version: 0.4.3-2.1+lenny1

We believe that the bug you reported is fixed in the latest version of
burn, which is due to be installed in the Debian FTP archive:

burn_0.4.3-2.1+lenny1.dsc
  to pool/main/b/burn/burn_0.4.3-2.1+lenny1.dsc
burn_0.4.3-2.1+lenny1.tar.gz
  to pool/main/b/burn/burn_0.4.3-2.1+lenny1.tar.gz
burn_0.4.3-2.1+lenny1_amd64.deb
  to pool/main/b/burn/burn_0.4.3-2.1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 542329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Finney <ben+debian@benfinney.id.au> (supplier of updated burn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 Aug 2009 12:42:33 +1000
Source: burn
Binary: burn
Architecture: source amd64
Version: 0.4.3-2.1+lenny1
Distribution: stable
Urgency: high
Maintainer: Gaetano Paolone (bigpaul) <bigpaul@debian.org>
Changed-By: Ben Finney <ben+debian@benfinney.id.au>
Description: 
 burn       - Command line Data-CD, Audio-CD, ISO-CD, Copy-CD writing tool
Closes: 542329
Changes: 
 burn (0.4.3-2.1+lenny1) stable; urgency=high
 .
   * Non-maintainer upload.
   * Security fix for TEMP-0542329 burn: Insecure escaping of file names.
   * Backport fix for secure handling of child process command arguments.
     (Closes: Bug#542329)
Checksums-Sha1: 
 6038f9222c56610aae525241aed6714a784d36a5 755 burn_0.4.3-2.1+lenny1.dsc
 3d5a3cf783887025a3d69f828e690c92d305a874 47109 burn_0.4.3-2.1+lenny1.tar.gz
 82d99ceeda633a3026bd514966ae304bc91f8920 29228 burn_0.4.3-2.1+lenny1_amd64.deb
Checksums-Sha256: 
 d02da9f3abeb93a8536b7df6518ffe18b916ebfd4e92013833ae1c616ab423ae 755 burn_0.4.3-2.1+lenny1.dsc
 fb841c8563a355f56aecac7b2f6bcfd57da3965f3532771035c147e632d63bc2 47109 burn_0.4.3-2.1+lenny1.tar.gz
 bf3b2f9755b2f2afabed20c34b8ddde6a894337096d129877c35da43db892d99 29228 burn_0.4.3-2.1+lenny1_amd64.deb
Files: 
 15be6bd39aee965b68c6ad2d21396c52 755 otherosfs optional burn_0.4.3-2.1+lenny1.dsc
 8837c0d2bbe517cdcb3c4589c6c3cd24 47109 otherosfs optional burn_0.4.3-2.1+lenny1.tar.gz
 131a7e59a2a896bdec93b1b529030060 29228 otherosfs optional burn_0.4.3-2.1+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqaa+4ACgkQB01zfu119ZmWdQCeNlo8ru3D246BmiMA4Egi/tIB
GewAn0CLPTkFoOg5PrJwdyAnTYBSeJ8N
=BFt3
-----END PGP SIGNATURE-----





Reply sent to Ben Finney <ben+debian@benfinney.id.au>:
You have taken responsibility. (Sat, 05 Sep 2009 06:57:08 GMT) Full text and rfc822 format available.

Notification sent to Philipp Weis <pweis@pweis.com>:
Bug acknowledged by developer. (Sat, 05 Sep 2009 06:57:08 GMT) Full text and rfc822 format available.

Message #95 received at 542329-close@bugs.debian.org (full text, mbox):

From: Ben Finney <ben+debian@benfinney.id.au>
To: 542329-close@bugs.debian.org
Subject: Bug#542329: fixed in burn 0.4.5-1
Date: Sat, 05 Sep 2009 06:47:13 +0000
Source: burn
Source-Version: 0.4.5-1

We believe that the bug you reported is fixed in the latest version of
burn, which is due to be installed in the Debian FTP archive:

burn_0.4.5-1.diff.gz
  to pool/main/b/burn/burn_0.4.5-1.diff.gz
burn_0.4.5-1.dsc
  to pool/main/b/burn/burn_0.4.5-1.dsc
burn_0.4.5-1_all.deb
  to pool/main/b/burn/burn_0.4.5-1_all.deb
burn_0.4.5.orig.tar.gz
  to pool/main/b/burn/burn_0.4.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 542329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Finney <ben+debian@benfinney.id.au> (supplier of updated burn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Aug 2009 23:32:37 +1000
Source: burn
Binary: burn
Architecture: source all
Version: 0.4.5-1
Distribution: unstable
Urgency: high
Maintainer: Ben Finney <ben+debian@benfinney.id.au>
Changed-By: Ben Finney <ben+debian@benfinney.id.au>
Description: 
 burn       - command-line tool for writing optical media
Closes: 542329 542750
Changes: 
 burn (0.4.5-1) unstable; urgency=high
 .
   * The “Miss is a sea fish” release.
   * Urgency high to address security alert TEMP-0542329.
   * New upstream version:
     + Documentation updates.
     + Use ‘subprocess’ module for secure invocation of child processes.
       (Closes: Bug#542329, Bug#542750)
     + No longer uses programs from ‘cdrecord’, instead switch to ‘cdrkit’
       programs.
   * debian/control:
     + Update to ‘Standards-Version: 3.8.3’. No extra changes needed.
     + Additional Build-Depends for building documentation.
   * debian/patches/:
     + 03.configure-current-executables.patch: obsoleted by new version.
   * debian/patches/series, debian/rules, debian/control:
     + Remove Quilt infrastructure as no patches are applied.
   * debian/copyright:
     + Update copyright dates.
   * debian/docs, debian/install, debian/doc-base:
     + New upstream file locations.
     + Register documentation for ‘doc-base’.
   * debian/pyversions:
     + Require at least Python 2.5.
Checksums-Sha1: 
 19baec5c6f86f8a12594cc33b34673e093bfc186 1203 burn_0.4.5-1.dsc
 82f3968c3582ee574e93e1aacfb6db55df6c6375 66608 burn_0.4.5.orig.tar.gz
 388e20423e700eb15ef124d3eadc13775dc51b4d 4867 burn_0.4.5-1.diff.gz
 60fb3d302951e291a9e0b67937d2365a52d33922 63920 burn_0.4.5-1_all.deb
Checksums-Sha256: 
 f41dfe4cc0eee85e9db6e3d70b3df197826b825aa4263aed669f8d07106b4b24 1203 burn_0.4.5-1.dsc
 87d4ca2e6525243935de77cbb3c1539a7cfa06f10cb23cb4b6d22cbfd1324d15 66608 burn_0.4.5.orig.tar.gz
 b861687022ce5b794f204f7c716990321901a826f41635ff150d155e13eb8126 4867 burn_0.4.5-1.diff.gz
 8f27cbe3300493bccfac3f658f72a669577f839fac3ed677f5be4e7fec4a3cdb 63920 burn_0.4.5-1_all.deb
Files: 
 aa2ddb74df2741e0122a7d37589cee1f 1203 otherosfs optional burn_0.4.5-1.dsc
 2e3fcd000584ffb5a714a771660d238e 66608 otherosfs optional burn_0.4.5.orig.tar.gz
 20e8da06b148cc5e20c2880161dd9197 4867 otherosfs optional burn_0.4.5-1.diff.gz
 d10da3faac76f29a00e2006bb255a7fc 63920 otherosfs optional burn_0.4.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqiBVoACgkQMDatjqUaT91mIwCffO8W55KVGttteaoGqb5ge0tt
lY0AoJ3Z6/6ImSq5KUt58rBHi/cpGh22
=CYTH
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 07 Oct 2009 07:35:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 04:14:56 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.