Your message dated Sun, 16 Dec 2012 18:17:51 +0100 with message-id <cadk7b0pkt3cl9zogggfn+5cnge0as5fvzzquthl0+2wfypw...@mail.gmail.com> and subject line Package removed has caused the Debian Bug report #557134, regarding syscp: incorrect usage of escapeshellcmd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 557134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557134 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: syscp Severity: important Version: 1.4.2.1-1 Tags: security Hi, I just found the following incorrect usage of escapeshellcmd, when escapeshellarg is needed: /usr/share/syscp/lib/class_apsinstaller.php: $Return = safe_exec('php ' . escapeshellcmd($this->RealPath . $this->DomainPath . '/install_scripts/configure install'), $ReturnStatus); /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php: safe_exec('openssl genrsa -out ' . escapeshellcmd($privkey_filename) . ' 1024'); /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php: safe_exec("chmod 0640 " . escapeshellcmd($privkey_filename)); /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php: safe_exec('openssl rsa -in ' . escapeshellcmd($privkey_filename) . ' -pubout -outform pem -out ' . escapeshellcmd($pubkey_filename)); /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php: safe_exec("chmod 0664 " . escapeshellcmd($pubkey_filename)); /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php: safe_exec("chmod 0640 " . escapeshellcmd($privkey_filename)); /usr/share/syscp/scripts/cron_tasks.inc.dns.10.bind.php: safe_exec("chmod 0664 " . escapeshellcmd($pubkey_filename)); Using 'important' as severity and tagging as 'security' until it is verified that the input of escapeshellcmd() comes from a trusted source and not from the user. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---Version: 1.4.2.1-2.1+rm Dear submitter, as the package sigit has been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/.
--- End Message ---
