Bug#1089043: marked as done (ucf: Environment sanitization breaks with multi-line values)

[Debian Bug Tracking System]

Your message dated Wed, 04 Dec 2024 22:23:16 +0000
with message-id <e1tixm8-00cb5n...@fasolo.debian.org>
and subject line Bug#1089043: fixed in ucf 3.0045
has caused the Debian Bug report #1089043,
regarding ucf: Environment sanitization breaks with multi-line values
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1089043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089043
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ucf
Version: 3.0044
Severity: important

I noticed https://salsa.debian.org/cjwatson/debusine/-/jobs/6699495
today, containing:

  Setting up ucf (3.0044) ...
  ...
  Setting up postgresql-common (267) ...
  /usr/bin/ucf: 13: unset: Part of #568.: bad variable name
  dpkg: error processing package postgresql-common (--configure):
   installed postgresql-common package post-installation script subprocess 
returned error exit status 2

"Part of #568." is a fragment of the commit message of the commit being
tested here, which is exported as an environment variable by GitLab CI.
Since the commit message is multi-line, the value of that environment
variable is too.

In the latest ucf, I see:

  # Sanitise environment
  while read -r env ; do
      env="${env%%=*}"
      case "$env" in
          PATH|PWD|TERM) ;;
          DEB_*|DEBIAN_*|DEBCONF_*) ;;
          UCF_*) ;;
          *) unset "$env" ;;
      esac
  done<<EOF
  $(env)
  EOF

This is unsafe if any variables are multi-line, since it assumes
newline-separation.

Perhaps something like this approach would help:

  for env in $(env -0 | cut -z -d= -f1 | xargs -0); do
      case "$env" in
          ...
      esac
  done

... but I haven't really tested this and it certainly needs some careful
review.

Thanks,

-- 
Colin Watson (he/him)                              [cjwat...@debian.org]

--- End Message ---

--- Begin Message ---

Source: ucf
Source-Version: 3.0045
Done: Mark Hindley <lee...@debian.org>

We believe that the bug you reported is fixed in the latest version of
ucf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1089...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <lee...@debian.org> (supplier of updated ucf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 04 Dec 2024 21:36:34 +0000
Source: ucf
Architecture: source
Version: 3.0045
Distribution: unstable
Urgency: medium
Maintainer: Mark Hindley <lee...@debian.org>
Changed-By: Mark Hindley <lee...@debian.org>
Closes: 1089043
Changes:
 ucf (3.0045) unstable; urgency=medium
 .
   * Back out new environment sanitisation for now. (Closes: #1089043)
Checksums-Sha1:
 368c5ff05ed09243c06d0d19cce48c59c24fa955 1512 ucf_3.0045.dsc
 6464476502b3bdab568ba864f530b44c8b4291ee 71324 ucf_3.0045.tar.xz
 fb7a218757a47f535fc4c7c73a18a1a7777326ec 6421 ucf_3.0045_amd64.buildinfo
Checksums-Sha256:
 11dfebfbd10692579cf08dc3f5fee75c0b2f4b4f3a2422b3b8573696a234f60c 1512 
ucf_3.0045.dsc
 c04762273fd5724d33c67b2d2ad5d6d02b21aa7d1974359157c829168f09f7f7 71324 
ucf_3.0045.tar.xz
 de3abfca6f726dba333adfc2cc4a56544b6289b464025a826a283c9d4ffd7f1e 6421 
ucf_3.0045_amd64.buildinfo
Files:
 299126b3354b2d34bd71e00c0010ee51 1512 utils standard ucf_3.0045.dsc
 6f32a95308fbd7b19b4bd4b57f12604b 71324 utils standard ucf_3.0045.tar.xz
 c2436c33c43486c7fe5cdd1c58c8b345 6421 utils standard ucf_3.0045_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmdQzk8ACgkQ0opFvzKH
1kntUw//SDYi+ZfXneiyq09lmPMt2Ee9gPzIdKEp1+forKey6GO5+8q5hNTNhOsw
54bETw6w3UOptK8UmeBQR7ILA6VleenrNz8k1wLVMg5laFgAQD4maKEptYdzoo7n
xENN2iUugO+NDjsxQUU2+jSQt1VuvIalX7SRjpd+n1CJs3IfsfDZ+LVb0ZmrPaF9
ZwI33VjPgbpvRQmyJ4TFAQ+S675piFJrxVl2gvgd+m3l9oMnvQup48ZaZa4WLdVm
nr4MVCywpwjAHdijOuE9pi0jXza+6be9X9tDDZQ2kMXJaTNv0NzQLIakfuV2kA/M
gKElGHQeg1NgNCZj8k/01KEnZsPGgzyiI+v85G40cZpH5eKl3HrGb03yHJmTXEro
OHHQfCyIcIv93mffLDI/hOaN91sGHysqv93MqNLO92cXSRgNR1EPSlYAOyoYJCnm
zO03MugAvoCqkMd6Wv0OIDgxDObVrkn7WFFrK7lYAA8t9OBoueKWABwYQHr0iuOb
CCN+I/uv3h+qxUC9wWSynz76t2zeO4Wd+nPrCfKochMEEhwPrvuusVIG+smk57kV
5fENwWEx0HA5v+EBysPO8fJeA4nTzBqVINoDcFO4FLHvInxn2VItSYOwu7zt1la4
fsbwsfnJt0Nhvj0gx/mIJRV+EjdeXe8aB0nx8LKXJ7NWbmRKagQ=
=mTEZ
-----END PGP SIGNATURE-----

pgpzkq2SA9O8k.pgp
Description: PGP signature

--- End Message ---