Debian Bug report logs - #840014
webcheckout: CVE-2018-7032: missing URL sanitization

version graph

Package: myrepos; Maintainer for myrepos is Richard Hartmann <richih@debian.org>; Source for myrepos is src:myrepos (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Fri, 7 Oct 2016 16:36:04 UTC

Severity: normal

Tags: fixed-upstream, patch, security, upstream

Found in version myrepos/1.20160123

Fixed in version myrepos/1.20180726

Done: Paul Wise <pabs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Fri, 07 Oct 2016 16:36:06 GMT) (full text, mbox, link).


Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: webcheckout: missing URL sanitization
Date: Fri, 7 Oct 2016 18:27:12 +0200
[Message part 1 (text/plain, inline)]
Package: myrepos
Version: 1.20160123
Tags: security

webcheckout passes the extracted URL to "git clone", without any sanitization. 
Malicious website operators or MitM attackers could exploit it for arbitrary 
code execution.

PoC:

 $ webcheckout /path/to/badgit.html
 git clone ext::sh -c cowsay% pwned% >% /dev/tty
 Cloning into 'tty'...
  _______
 < pwned >
  -------
         \   ^__^
          \  (oo)\_______
             (__)\       )\/\
                 ||----w |
                 ||     ||
 fatal: Could not read from remote repository.


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

myrepos depends on no packages.

Versions of packages myrepos recommends:
ii  libhtml-parser-perl  3.72-2+b1
ii  libio-pty-easy-perl  0.09-2
ii  libwww-perl          6.15-1
ii  perl                 5.24.1~rc3-3

Versions of packages myrepos suggests:
pn  ack-grep          <none>
ii  bzr               2.7.0+bzr6619-2
ii  curl              7.50.1-1
pn  cvs               <none>
pn  darcs             <none>
pn  fossil            <none>
ii  git [git-core]    1:2.9.3-1
pn  kdesdk-scripts    <none>
ii  liburi-perl       1.71-1
ii  mercurial         3.9.1-1
ii  subversion        1.9.4-3+b1
pn  subversion-tools  <none>
pn  vcsh              <none>

-- 
Jakub Wilk
[badgit.html (text/html, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Wed, 07 Feb 2018 09:03:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Wed, 07 Feb 2018 09:03:03 GMT) (full text, mbox, link).


Message #8 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: 840014@bugs.debian.org, 840014-submitter@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: webcheckout: missing URL sanitization
Date: Wed, 07 Feb 2018 16:59:26 +0800
[Message part 1 (text/plain, inline)]
On Fri, 7 Oct 2016 18:27:12 +0200 Jakub Wilk wrote:

>  $ webcheckout /path/to/badgit.html
>  git clone ext::sh -c cowsay% pwned% >% /dev/tty

I consider this particular attack to be a bug in git and the
git authors seem to agree with me because it is blocked in sid.

Do you think this should be fixed in git or in webcheckout or both?

$ webcheckout ./badgit.html
git clone -- ext::sh -c cowsay% pwned% >% /dev/tty
Cloning into 'tty'...
fatal: transport 'ext' not allowed
failed to checkout ext::sh -c cowsay% pwned% >% /dev/tty

$ grep -riA6 git-remote-ext /usr/share/doc/git/RelNotes/ | head -n6
/usr/share/doc/git/RelNotes/2.4.10.txt: * Some protocols (like git-remote-ext) can execute arbitrary code
/usr/share/doc/git/RelNotes/2.4.10.txt-   found in the URL.  The URLs that submodules use may come from
/usr/share/doc/git/RelNotes/2.4.10.txt-   arbitrary sources (e.g., .gitmodules files in a remote
/usr/share/doc/git/RelNotes/2.4.10.txt-   repository), and can hurt those who blindly enable recursive
/usr/share/doc/git/RelNotes/2.4.10.txt-   fetch.  Restrict the allowed protocols to well known and safe
/usr/share/doc/git/RelNotes/2.4.10.txt-   ones.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Message sent on to Jakub Wilk <jwilk@debian.org>:
Bug#840014. (Wed, 07 Feb 2018 09:03:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Thu, 08 Feb 2018 20:48:02 GMT) (full text, mbox, link).


Message #14 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: 840014@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>, Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Thu, 8 Feb 2018 21:44:14 +0100
* Paul Wise <pabs@debian.org>, 2018-02-07, 16:59:
>>  $ webcheckout /path/to/badgit.html
>>  git clone ext::sh -c cowsay% pwned% >% /dev/tty
>
>I consider this particular attack to be a bug in git and the git 
>authors seem to agree with me because it is blocked in sid.

It's hard to tell whether they agree, because disabling git-remote-ext 
by default is not documented AFAICT. See bug #867699.

Users might need to re-enable git-remote-ext for their own purposes, so 
this needs to be fixed in webcheckout.

webcheckout is also susceptible to option injection, but I couldn't find 
a way to exploit it for anything nefarious.

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Fri, 09 Feb 2018 02:00:04 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Fri, 09 Feb 2018 02:00:04 GMT) (full text, mbox, link).


Message #19 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Fri, 09 Feb 2018 09:56:56 +0800
[Message part 1 (text/plain, inline)]
On Thu, 2018-02-08 at 21:44 +0100, Jakub Wilk wrote:

> It's hard to tell whether they agree, because disabling git-remote-ext 
> by default is not documented AFAICT. See bug #867699.

Thanks for the pointer.

> Users might need to re-enable git-remote-ext for their own purposes, so 
> this needs to be fixed in webcheckout.

How would you suggest doing that?

 * Blacklist ext::
 * Whitelist good remote protocols

How should it handle the bad remotes?

* Fail with "potentially unsafe git remote"
* Fail with "potentially unsafe git URL, may execute code: ext::*"
* Fail with "potentially unsafe git URL, may execute code:
             git clone ext::*"

> webcheckout is also susceptible to option injection, but I couldn't find 
> a way to exploit it for anything nefarious.

I made a patch for that locally, but I wanted the commit to link to the
canonical document about option injection but I cannot find a link.
IIRC it includes how to get RCE with tar/cpio/etc option injection.
Do you remember where that can be found?

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Sun, 11 Feb 2018 13:12:03 GMT) (full text, mbox, link).


Message #22 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: 840014@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>, Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Sun, 11 Feb 2018 14:09:01 +0100
* Paul Wise <pabs@debian.org>, 2018-02-09, 09:56:
>>Users might need to re-enable git-remote-ext for their own purposes, 
>>so this needs to be fixed in webcheckout.
>How would you suggest doing that?
>
> * Blacklist ext::
> * Whitelist good remote protocols

For Git (>= 2.12), you can set GIT_PROTOCOL_FROM_USER=0 in environment. 
Quoting git(1): "this is useful [...] for programs which feed 
potentially-untrusted URLS to git commands".

If you want to support older versions of Git, I guess you should mimic 
what GIT_PROTOCOL_FROM_USER=0 does by default, i.e. whitelist known-good 
protocols.

>How should it handle the bad remotes?

I think printing the whole suspicious URL would make sense.

>>webcheckout is also susceptible to option injection, but I couldn't 
>>find a way to exploit it for anything nefarious.
>I made a patch for that locally, but I wanted the commit to link to the 
>canonical document about option injection but I cannot find a link. 
>IIRC it includes how to get RCE with tar/cpio/etc option injection. Do 
>you remember where that can be found?

I haven't heard about it.

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Sun, 11 Feb 2018 14:06:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Sun, 11 Feb 2018 14:06:03 GMT) (full text, mbox, link).


Message #27 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Sun, 11 Feb 2018 22:04:11 +0800
[Message part 1 (text/plain, inline)]
On Sun, 2018-02-11 at 14:09 +0100, Jakub Wilk wrote:

> For Git (>= 2.12), you can set GIT_PROTOCOL_FROM_USER=0 in
> environment. 
> Quoting git(1): "this is useful [...] for programs which feed 
> potentially-untrusted URLS to git commands".

Ah, I missed that addition.

> If you want to support older versions of Git, I guess you should mimic 
> what GIT_PROTOCOL_FROM_USER=0 does by default, i.e. whitelist known-good 
> protocols.

I think I will check the git version and apply the manual whitelisting
only for versions of git older than 2.12.

> I think printing the whole suspicious URL would make sense.

OK.

> I haven't heard about it.

OK, pushed my patch for that.

http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=f8b5baf18928544ce5c3575641fe852a86e93254

I also made webcheckout prefer https:

http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=57b5fa2b85c6285c2f88de242016fdbeb112b91e

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Sun, 11 Feb 2018 14:57:05 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Sun, 11 Feb 2018 14:57:05 GMT) (full text, mbox, link).


Message #32 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Sun, 11 Feb 2018 22:54:58 +0800
[Message part 1 (text/plain, inline)]
On Sun, 2018-02-11 at 22:04 +0800, Paul Wise wrote:

> I think I will check the git version and apply the manual
> whitelisting only for versions of git older than 2.12.

Attached my proposed patch for the git issue.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[0001-Mitigate-vulnerabilities-caused-by-some-git-remotes-.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'webcheckout: CVE-2018-7032: missing URL sanitization' from 'webcheckout: missing URL sanitization'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 14 Feb 2018 19:57:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Sun, 18 Feb 2018 21:30:04 GMT) (full text, mbox, link).


Message #37 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: 840014@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>, Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Sun, 18 Feb 2018 22:27:39 +0100
>+my ($major, $minor, undef) = split(/\./, $git_version);

You don't need trailing undef here. (The number of components is a git 
version varies between 3 and 4, so you can't make the number of items of 
the left side always match anyway.)

>+		if ($git_unsafe && $git_url !~ /^(?:https?|git|ssh|file):[^:]/) {

SSH protocol has an alternative (and I guess more popular) scp-like 
syntax:

   [user@]example.org:path/to/repo

There are also two syntaxes for local repositories, although I think 
neither should be allowed. It's *web*checkout after all...

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Mon, 19 Feb 2018 05:39:03 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Mon, 19 Feb 2018 05:39:04 GMT) (full text, mbox, link).


Message #42 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Mon, 19 Feb 2018 13:37:05 +0800
[Message part 1 (text/plain, inline)]
On Sun, 2018-02-18 at 22:27 +0100, Jakub Wilk wrote:

> You don't need trailing undef here.

Tested, removed

> SSH protocol has an alternative scp-like syntax:

Added, hope I got the regex right.

> There are also two syntaxes for local repositories, although I think 
> neither should be allowed. It's *web*checkout after all...

Blocked those.

Updated patch attached.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[0001-Mitigate-vulnerabilities-caused-by-some-git-remotes-.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Mon, 19 Feb 2018 05:39:05 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Mon, 19 Feb 2018 05:39:05 GMT) (full text, mbox, link).


Message #47 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Mon, 19 Feb 2018 13:37:38 +0800
[Message part 1 (text/plain, inline)]
On Sun, 2018-02-18 at 22:27 +0100, Jakub Wilk wrote:

> You don't need trailing undef here.

Tested, removed.

> SSH protocol has an alternative scp-like syntax:

Added, hope I got the regex right.

> There are also two syntaxes for local repositories, although I think 
> neither should be allowed. It's *web*checkout after all...

Blocked those.

Updated patch attached.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[0001-Mitigate-vulnerabilities-caused-by-some-git-remotes-.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Thu, 22 Feb 2018 21:12:03 GMT) (full text, mbox, link).


Message #50 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: 840014@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>, Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Thu, 22 Feb 2018 22:09:04 +0100
>$git_url !~ m{^(?:(?:https?|git|ssh):[^:]|(?:[-_.a-z0-9]+@)?[-_.a-z0-9]+:(?:[^:]|$))}) {

Uppercase letter should be allowed in usernames and domains, I guess?

This regexp matches "foo://bar"; but this URL would make git execute 
remote helper "foo", which might be unsafe. I suggest replacing

  (?:[^:]|$)

with

  (?!:|//)

>qw(git clone -c protocol.file.allow=user --)

qw(git -c protocol.file.allow=user clone --) would be better here. 
The difference is that the former unnecessarily puts 
protocol.file.allow=user in the repo's .git/config.

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Fri, 23 Feb 2018 00:39:05 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Fri, 23 Feb 2018 00:39:05 GMT) (full text, mbox, link).


Message #55 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Fri, 23 Feb 2018 08:38:21 +0800
[Message part 1 (text/plain, inline)]
Control: tags -1 + fixed-upstream patch upstream
Control: forwarded -1 http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8

On Thu, 2018-02-22 at 22:09 +0100, Jakub Wilk wrote:

> Uppercase letter should be allowed in usernames and domains, I guess?

Added.

> This regexp matches "foo://bar"; but this URL would make git execute 
> remote helper "foo", which might be unsafe. I suggest replacing
> 
>    (?:[^:]|$)
> 
> with
> 
>    (?!:|//)

Replaced.

> qw(git -c protocol.file.allow=user clone --) would be better here. 
> The difference is that the former unnecessarily puts 
> protocol.file.allow=user in the repo's .git/config.

Used that instead.

I've pushed the commit upstream to the URL above.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream, patch, and upstream. Request was from Paul Wise <pabs@debian.org> to 840014-submit@bugs.debian.org. (Fri, 23 Feb 2018 00:39:06 GMT) (full text, mbox, link).


Set Bug forwarded-to-address to 'http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=40a3df21c73f1bb1b6915cc6fa503f50814664c8'. Request was from Paul Wise <pabs@debian.org> to 840014-submit@bugs.debian.org. (Fri, 23 Feb 2018 00:39:06 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Sat, 24 Feb 2018 17:51:03 GMT) (full text, mbox, link).


Message #62 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>
To: 840014@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>, Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Sat, 24 Feb 2018 18:46:36 +0100
>if (int($major) >= 2 && int($minor) >= 12) {

">=" compares numerically even when arguments are strings, so the int() 
calls aren't needed here.

More importantly, this will break when Git 3.0 is released, because 
int($minor) >= 12 will be no longer true.

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Richard Hartmann <richih@debian.org>:
Bug#840014; Package myrepos. (Sun, 25 Feb 2018 01:09:02 GMT) (full text, mbox, link).


Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Richard Hartmann <richih@debian.org>. (Sun, 25 Feb 2018 01:09:02 GMT) (full text, mbox, link).


Message #67 received at 840014@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: Jakub Wilk <jwilk@jwilk.net>, 840014@bugs.debian.org
Cc: Debian Security Team <security@debian.org>
Subject: Re: Bug#840014: webcheckout: missing URL sanitization
Date: Sun, 25 Feb 2018 09:05:17 +0800
[Message part 1 (text/plain, inline)]
On Sat, 2018-02-24 at 18:46 +0100, Jakub Wilk wrote:

> ">=" compares numerically even when arguments are strings, so the int() 
> calls aren't needed here.
> 
> More importantly, this will break when Git 3.0 is released, because 
> int($minor) >= 12 will be no longer true.

Fixed in git:

http://source.myrepos.branchable.com/?p=source.git;a=commitdiff;h=6808ec71ba7ae13f3cf755561aa4165e4f623f0d

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Reply sent to Paul Wise <pabs@debian.org>:
You have taken responsibility. (Thu, 26 Jul 2018 06:39:09 GMT) (full text, mbox, link).


Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Thu, 26 Jul 2018 06:39:09 GMT) (full text, mbox, link).


Message #72 received at 840014-close@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: 840014-close@bugs.debian.org
Subject: Bug#840014: fixed in myrepos 1.20180726
Date: Thu, 26 Jul 2018 06:36:26 +0000
Source: myrepos
Source-Version: 1.20180726

We believe that the bug you reported is fixed in the latest version of
myrepos, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840014@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Wise <pabs@debian.org> (supplier of updated myrepos package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 26 Jul 2018 14:14:21 +0800
Source: myrepos
Binary: myrepos
Architecture: source
Version: 1.20180726
Distribution: unstable
Urgency: medium
Maintainer: Richard Hartmann <richih@debian.org>
Changed-By: Paul Wise <pabs@debian.org>
Description:
 myrepos    - tool to manage all your version control repos
Closes: 813738 828827 840014 849600
Changes:
 myrepos (1.20180726) unstable; urgency=medium
 .
   [ Andrew Bradford ]
   * Suggest perl-doc (Closes: #813738)
 .
   [ Mark Haber ]
   * Fix hours_since for git fake bare repos (Closes: #828827)
 .
   [ Tom Hoover ]
   * Fix 'no defined update command error' in example config
 .
   [ Pavel Nakonechnyi ]
   * More meaningful names for temporary files
 .
   [ Paul Wise ]
   * Mitigate vulns caused by git code execution (Closes: #840014, CVE-2018-7032)
   * Migrate from ack-grep to ack (Closes: #849600)
   * More reliable output supervision
   * Allow prepending commands to existing commands
   * Allow for fallback to default commands
   * Add support for caching command output
   * Add graph, remote, upgrade extensions
   * Improve the status output for CVS
   * Improve the git-cvs extension
   * Add shell extension to maintain a repo status cache
   * git registration improvements
   * webcheckout: prefer https transport
   * Suggest more tools that are used
   * Various packaging cleanups
Checksums-Sha1:
 2cb324a1b82512a055643b61888a5356505930bb 1650 myrepos_1.20180726.dsc
 179b646fceef652af959a31f819ca5e5e484d7cb 60388 myrepos_1.20180726.tar.xz
 f2e3ab43ce953ea75704b71ec862bb3fe9993b95 6223 myrepos_1.20180726_amd64.buildinfo
Checksums-Sha256:
 6ec574242cd45cbda0b60f82a75f7aa9550142a975a3ed019f13c923ee2a643e 1650 myrepos_1.20180726.dsc
 9e9e4c114aae22e0aac51ecbc8d84ae617a5e5dfa979fab0d3bc42945f603f1e 60388 myrepos_1.20180726.tar.xz
 6b1691d8b882aa4eacc7ec866b5b7cfabbb858e04f276415715a6668138f4014 6223 myrepos_1.20180726_amd64.buildinfo
Files:
 4d4ba1c413dead5cf1953e11712484d6 1650 vcs optional myrepos_1.20180726.dsc
 901589ef6535ab00584784e38126c6ab 60388 vcs optional myrepos_1.20180726.tar.xz
 7223ce17f3369d6983333dbb92fbbf19 6223 vcs optional myrepos_1.20180726_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAltZafcACgkQMRa6Xp/6
aaP+mRAApuFpSBasvDegxfFIL2iTq2YrbW8cLCk/6IuqXIWBSfio2YMvCaRp7Bz0
us09SZpYC6v+k56879g1gum0QvZ7bkJQT2wNf+lk0H2HDTB+pBSflsQrUp3YqyXv
yvuFoakXemya5z3NwUQJ+zsRaVV9Ja9QEI6SnYcKCyy+f2kFrIUi1urEugAe67tQ
x64u2KCTYkcrlr8CDiT+oJt+CHbElHNozsOgOC2K8UWe5ep7JhKxRxIPK9mVtiBb
lCN6Q5/zz+01DoXkrqq7v+PsB+UAu+ZipGzOQ1FNoich5XSXlnTMdb4zNwGH7EPD
dO+cVNiwzsKFbXWKAgZO9iSdv3LXn5aZRxAYKEGC5oaLTlB+Cj2h3u1Uito3KDJ8
jB5wtkW/W9fU7eOpbqVO0zz4vosBa+MC/6SDWFFy9imDeGabenfNbZ1jpZygaQs6
wOITuw9ENw2DCLuVEnVdGgA56rC330Sak9vNcAz1VgsDzdno5Pa6lzsxUmh5mkAn
MNok4Kb/AYNGiZsglD5OwT5ZYlFtuNyypun5zHht07Lat67IUhw34HrHUwhtVBLG
ZZi07u53np+Xw70piZ+gaHSl2JGWyXyP1ycXT8y7Bgaix/7iVOjKSBCcKbfi6/Sa
ewIw3zWIDV2CGSkyFdY11Tjy2Vl230jtA6beJTQ7iD28UzUzDMY=
=vksk
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 25 Aug 2018 07:25:58 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 14:46:33 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.