Package: reportbug Version: 6.5.0 Severity: normal Tags: patch Hi Sandro,
Attached is the debdiff used for 6.5.0+nmu1 uploaded due to DSA-2997-1 / CVE-2014-0479. Regards, Salvatore
diff -Nru reportbug-6.5.0/debian/changelog reportbug-6.5.0+nmu1/debian/changelog --- reportbug-6.5.0/debian/changelog 2014-01-26 20:42:00.000000000 +0100 +++ reportbug-6.5.0+nmu1/debian/changelog 2014-08-03 16:03:24.000000000 +0200 @@ -1,3 +1,13 @@ +reportbug (6.5.0+nmu1) unstable; urgency=high + + * Non-maintainer upload. + * CVE-2014-0479: Arbitrary code execution in compare_versions. + A man-in-the-middle attacker could put shell metacharacters in the + version number, causing execution of code of their choice. + Thanks to Jakub Wilk <jw...@debian.org> + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 03 Aug 2014 16:03:15 +0200 + reportbug (6.5.0) unstable; urgency=low [ Sandro Tosi ] diff -Nru reportbug-6.5.0/reportbug/checkversions.py reportbug-6.5.0+nmu1/reportbug/checkversions.py --- reportbug-6.5.0/reportbug/checkversions.py 2014-01-26 20:42:00.000000000 +0100 +++ reportbug-6.5.0+nmu1/reportbug/checkversions.py 2014-08-03 16:02:42.000000000 +0200 @@ -37,6 +37,7 @@ # needed to parse new.822 from debian.deb822 import Deb822 +from debian import debian_support RMADISON_URL = 'http://qa.debian.org/madison.php?package=%s&text=on' INCOMING_URL = 'http://incoming.debian.org/' @@ -87,13 +88,7 @@ """Return 1 if upstream is newer than current, -1 if current is newer than upstream, and 0 if the same.""" if not current or not upstream: return 0 - rc = os.system('dpkg --compare-versions %s lt %s' % (current, upstream)) - rc2 = os.system('dpkg --compare-versions %s gt %s' % (current, upstream)) - if not rc: - return 1 - elif not rc2: - return -1 - return 0 + return debian_support.version_compare(upstream, current) def later_version(a, b): if compare_versions(a, b) > 0:
