Bug#901814: stretch-pu: package monkeysign/2.2.3

Antoine Beaupre Mon, 18 Jun 2018 10:57:32 -0700

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu


Hi,

Monkeysign has a minor security issue and two critical bugs
(unreported but still quite important) that affect all versions after
jessie.

The 2.2.4 upload performed on unstable today fixes all of those, but I
figured it was also important to backport those changes into an
upcoming stretch release. Considering the security issue is minor and
that it is also fixed by the recent GnuPG updates for CVE-2018-12020,
a security upload does not seem appropriate.

The attached patch is the debdiff for the last upload in unstable,
which I think should be applied verbatim to stable as well. It fixes a
crash in the API when manipulating GPG options (the "false" bit),
CVE-2018-12020, fixes the test suite so it passes again, and properly
sends email when all UIDs are signed.

I can provide more details or open release-critical bugs for all of
the above if you believe it is necessary.

A.

-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru monkeysign-2.2.3/CHANGELOG monkeysign-2.2.4/CHANGELOG
--- monkeysign-2.2.3/CHANGELOG  2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/CHANGELOG  2018-06-18 12:18:46.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+  [ Tobias Rueetschi ]
+  * false isn't defined, that must be False
+
+  [ Antoine Beaupré ]
+  * actually send multiple emails instead of a single one
+  * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anar...@debian.org>  Mon, 18 Jun 2018 12:18:46 -0400
+
 monkeysign (2.2.3) unstable; urgency=medium
 
   [ Simon Fondrie-Teitler ]
diff -Nru monkeysign-2.2.3/debian/changelog monkeysign-2.2.4/debian/changelog
--- monkeysign-2.2.3/debian/changelog   2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/debian/changelog   2018-06-18 12:18:46.000000000 -0400
@@ -1,3 +1,14 @@
+monkeysign (2.2.4) unstable; urgency=medium
+
+  [ Tobias Rueetschi ]
+  * false isn't defined, that must be False
+
+  [ Antoine Beaupré ]
+  * actually send multiple emails instead of a single one
+  * CVE-2018-12020: add no verbose to avoid fake signatures
+
+ -- Antoine Beaupré <anar...@debian.org>  Mon, 18 Jun 2018 12:18:46 -0400
+
 monkeysign (2.2.3) unstable; urgency=medium
 
   [ Simon Fondrie-Teitler ]
diff -Nru monkeysign-2.2.3/monkeysign/gpg.py monkeysign-2.2.4/monkeysign/gpg.py
--- monkeysign-2.2.3/monkeysign/gpg.py  2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/gpg.py  2018-06-18 12:18:46.000000000 -0400
@@ -102,6 +102,7 @@
                 'with-colons': None,
                 'with-fingerprint': None,
                 'fixed-list-mode': None,
+                'no-verbose': None,
                 'list-options': 
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
                 }
 
@@ -126,7 +127,7 @@
         if option in self.options:
             del self.options[option]
         else:
-            return false
+            return False
 
     def build_command(self, command):
         """internal helper to build a proper gpg commandline
diff -Nru monkeysign-2.2.3/monkeysign/tests/test_gpg.py 
monkeysign-2.2.4/monkeysign/tests/test_gpg.py
--- monkeysign-2.2.3/monkeysign/tests/test_gpg.py       2017-01-24 
15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/tests/test_gpg.py       2018-06-18 
12:18:46.000000000 -0400
@@ -42,7 +42,7 @@
     options = Context.options
 
     # ... and this is the rendered version of the above
-    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', 
'--list-options', 
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
 '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', 
'--status-fd', '2', '--quiet' ]
+    rendered_options = ['gpg', '--command-fd', '0', '--with-fingerprint', 
'--list-options', 
'show-sig-subpackets,show-uid-validity,show-unusable-uids,show-unusable-subkeys,show-keyring,show-sig-expire',
 '--batch', '--fixed-list-mode', '--no-tty', '--with-colons', '--use-agent', 
'--status-fd', '2', '--quiet', '--no-verbose' ]
 
     def setUp(self):
         self.gpg = Context()
diff -Nru monkeysign-2.2.3/monkeysign/tests/test_network.py 
monkeysign-2.2.4/monkeysign/tests/test_network.py
--- monkeysign-2.2.3/monkeysign/tests/test_network.py   2017-01-24 
15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/tests/test_network.py   2018-06-18 
12:18:46.000000000 -0400
@@ -29,7 +29,7 @@
 sys.path.insert(0, os.path.dirname(__file__) + '/../..')
 
 from monkeysign.gpg import TempKeyring
-from test_lib import TestTimeLimit, AlarmException, find_test_file, 
skipUnlessNetwork
+from test_lib import TestTimeLimit, AlarmException, find_test_file, 
skipUnlessNetwork, skipIfDatePassed
 
 
 @skipUnlessNetwork()
@@ -52,6 +52,7 @@
         except AlarmException:
             raise unittest.case._ExpectedFailure(sys.exc_info())
 
+    @skipIfDatePassed('2017-02-25T00:00:00UTC')
     def test_special_key(self):
         """test a key that sign_key had trouble with"""
         
self.assertTrue(self.gpg.import_data(open(find_test_file('96F47C6A.asc')).read()))
diff -Nru monkeysign-2.2.3/monkeysign/ui.py monkeysign-2.2.4/monkeysign/ui.py
--- monkeysign-2.2.3/monkeysign/ui.py   2017-01-24 15:40:35.000000000 -0500
+++ monkeysign-2.2.4/monkeysign/ui.py   2018-06-18 12:18:46.000000000 -0400
@@ -612,7 +612,7 @@
 
         if len(self.signed_keys) < 1:
             self.warn(_('no key signed, nothing to export'))
-        
+        ret = True
         for fpr, key in self.signed_keys.items():
             if self.chosen_uid is None:
                 for uid in key.uids.values():
@@ -621,14 +621,15 @@
                     except GpgRuntimeError as e:
                         self.warn(_('failed to create email: %s') % e)
                         break
-                    return self.sendmail(msg)
+                    ret = ret and self.sendmail(msg)
             else:
                 try:
                     msg = EmailFactory(self.tmpkeyring.export_data(fpr), fpr, 
self.chosen_uid, from_user, self.options.to)
                 except GpgRuntimeError as e:
                     self.warn(_('failed to create email: %s') % e)
                     break
-                return self.sendmail(msg)
+                ret = self.sendmail(msg)
+        return ret
 
     def sendmail(self, msg):
             """actually send the email
diff -Nru monkeysign-2.2.3/monkeysign/_version.py 
monkeysign-2.2.4/monkeysign/_version.py
--- monkeysign-2.2.3/monkeysign/_version.py     2017-01-24 15:40:35.000000000 
-0500
+++ monkeysign-2.2.4/monkeysign/_version.py     2018-06-18 12:18:46.000000000 
-0400
@@ -1,4 +1,4 @@
 # coding: utf-8
 # file generated by setuptools_scm
 # don't change, don't track in version control
-version = '2.2.3'
+version = '2.2.4'

Bug#901814: stretch-pu: package monkeysign/2.2.3

Reply via email to