Bug#1089015: marked as done (ucf: inherits variable from environment that is then used in eval)

[Debian Bug Tracking System]

Your message dated Sun, 29 Dec 2024 18:32:08 +0000
with message-id <e1try5a-00fhtg...@fasolo.debian.org>
and subject line Bug#1089015: fixed in ucf 3.0043+nmu1+deb12u1
has caused the Debian Bug report #1089015,
regarding ucf: inherits variable from environment that is then used in eval
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1089015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089015
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ucf
Version: 3.0038+nmu1
Tags: patch security
Severity: serious
Control: fixed -1 3.0044

Hello,

During the process of salvaging src:ucf[1], I discovered that the 'saved'
variable is inherited uninitialised from the environment and then passed to
eval. All stable Debian versions appear to be affected:

mark@apollo:/tmp% sudo saved='$(ls -l)' ucf /dev/null /tmp/new.conf
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-------'
ucf: unrecognized option '-rw-------'
ucf: unrecognized option '-rwxr-xr-x'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'

The minimal immediate fix seems straightforward (see attached patch). But I want
to be sure that I haven't missed consideration of a case that requires
inheriting this from the environment.

Mark


[1]  https://bugs.debian.org/1086847

From a0d7ce5b7216e8be117ff10ecfcd47ce287cf306 Mon Sep 17 00:00:00 2001
From: Mark Hindley <m...@hindley.org.uk>
Date: Sun, 17 Nov 2024 09:47:42 +0000
Subject: [PATCH] Safely initialise variable subsequently passed to eval.

Fixes:

mark@apollo:/tmp% sudo saved='$(ls -l)' ucf /dev/null /tmp/new.conf
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-------'
ucf: unrecognized option '-rw-------'
ucf: unrecognized option '-rwxr-xr-x'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
ucf: unrecognized option '-rw-r--r--'
---
 ucf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ucf b/ucf
index 6855cd7..0191243 100755
--- a/ucf
+++ b/ucf
@@ -294,6 +294,7 @@ NEW_SUFFIX="ucf-new"
 OLD_SUFFIX="ucf-old"
 ERR_SUFFIX="merge-error"
 # save up the cmdline with proper quoting/escaping
+saved=
 for arg in "$@"; do
     saved="${saved:+$saved }'$(quote_single "$arg")'"
 done
-- 
2.39.5

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: ucf
Source-Version: 3.0043+nmu1+deb12u1
Done: Mark Hindley <lee...@debian.org>

We believe that the bug you reported is fixed in the latest version of
ucf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1089...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <lee...@debian.org> (supplier of updated ucf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Dec 2024 07:39:40 +0000
Source: ucf
Architecture: source
Version: 3.0043+nmu1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Manoj Srivastava <sriva...@debian.org>
Changed-By: Mark Hindley <lee...@debian.org>
Closes: 1089015
Changes:
 ucf (3.0043+nmu1+deb12u1) bookworm; urgency=medium
 .
   * Initialise variable subsequently passed to eval. (Closes: #1089015)
Checksums-Sha1:
 40a47e48ceeeea77e6af2bc417174f730db219ac 1574 ucf_3.0043+nmu1+deb12u1.dsc
 a8513843aa92eed0826e5fccb8b20405849d18bf 70976 ucf_3.0043+nmu1+deb12u1.tar.xz
 04e2a9f23760d1736534925008daf61d21886a23 5734 
ucf_3.0043+nmu1+deb12u1_amd64.buildinfo
Checksums-Sha256:
 f098e6f07226ed6dbd4373b55a385c9899432ae6e08c83657eda33ff15a47ec6 1574 
ucf_3.0043+nmu1+deb12u1.dsc
 b577bc16a7ed5c8544a5652c4d5f0992fe9fde13203db8170d950abb3ee20dfa 70976 
ucf_3.0043+nmu1+deb12u1.tar.xz
 7749667cbc108c9ebb109e8464565c66056559dd71e136a80c9e914166c6672b 5734 
ucf_3.0043+nmu1+deb12u1_amd64.buildinfo
Files:
 1267a07a4c41e8bdb8bf1b13f270bfd6 1574 utils standard 
ucf_3.0043+nmu1+deb12u1.dsc
 4f66ce82c07fc58c326f50ac0909dd7e 70976 utils standard 
ucf_3.0043+nmu1+deb12u1.tar.xz
 93c272463517025c389a9d4e9f7f23b4 5734 utils standard 
ucf_3.0043+nmu1+deb12u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmdpOqEACgkQ0opFvzKH
1kl1Sw/+P9vaKwtSZ1L1/+rbqBJ8yo+LQJ0SKnfwK4nHrGKqn8G0QEzi6oy2XQSu
Lv0LiMNVmwkucJIpgHcgmS2OWhMlyVYAhU1FnaefcM0FM58ODTCdGJRISQWfJXmT
EDMNIGEKDGhQF0CNkHRpNC9HiTDKtKGQvti60f/+N2k9hcdNU01Rx6v0zV9SCfY2
OksyfL9JFE++0fSTIRt8FIAqKLJ+63AepTC33mTByezFtuMy4l/tJSHh0Fof3JxA
FeSILrZENu8Po0hqDtFwXvZaFQgkBh2DYAOwD0YMuAHV/mgFvDoldcmbO8x2TnzW
Xbx3jUIGinH1xbx5HjXNJgR0G0Vj5bq9YH/4MIrrZvRkTfvaEISf7ReGQJxKm+VX
8zNZpXNaJV2ZF/3YcgTsLW8uRY7xO2e+E+8Z2dWpnznwvzXH/L1MEDdjqMvHsL2H
2l0hrRPYyq+h0wuDPnTvb5ZbyvufLRM5dlnBcTwobqEq7exv3kbBM/eGOl7WcT+j
eQcx21mopuAnyo/I+mmX+Shyv7nbZsu65v7RtVZbguCdJmXU/xQ/dLM/rU+03Tmz
y3vKrSpjIFz8Tkqpw4UKW1OZd2RfNjZ9zISqwFQAZKdYQicfbBtogLOGgoXjdT6H
Bqozj6/D5HI/7IuBmwmhsnQM3tTY0AnA7FyRARu3lqTZ25wYksI=
=sIv7
-----END PGP SIGNATURE-----

pgpjUw3l822WK.pgp
Description: PGP signature

--- End Message ---