resolve http://bugs.debian.org/600304 -- do not place arbitrary/escaped user ids...

diff --git a/debian/changelog b/debian/changelog
index aa9b05a8665d2cb903d12e021b5795b611be020e..b03dff715399fa92ed673a784f27182a6869cab0 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+monkeysphere (0.31-3) unstable; urgency=high
+
+  * avoid mis-escaping uids, fixes a security issue. (Closes: #600304)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Fri, 15 Oct 2010 16:46:17 -0400
+
 monkeysphere (0.31-2) unstable; urgency=low
 
   * sleep a bit in keytrans suite to ensure that at least a full second

diff --git a/debian/patches/600304.diff b/debian/patches/600304.diff
new file mode 100644 (file)
index 0000000..6588ead
--- /dev/null
+++ b/debian/patches/600304.diff
@@ -0,0 +1,13 @@
+diff --git a/src/share/ma/keys_for_user b/src/share/ma/keys_for_user
+index f48d5d3..b0c3cf5 100644
+--- a/src/share/ma/keys_for_user
++++ b/src/share/ma/keys_for_user
+@@ -44,7 +44,7 @@ export GNUPGHOME
+ # extract user IDs from authorized_user_ids file
+ IFS=$'\n'
+ for line in $(meat "$authorizedUserIDs") ; do
+-    su_monkeysphere_user ". ${SYSSHAREDIR}/common; keys_for_userid '$line'"
++    printf '%s\n' "$line" | su_monkeysphere_user ". ${SYSSHAREDIR}/common; keys_for_userid \"\$X\"" || true
+ done
+ 
+ }

diff --git a/debian/patches/series b/debian/patches/series
index 101870b2d54ac3fd827808f626304bd3911b61c0..af8e9c73d6dfb358454750360363224dc8d3be0c 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 591118.diff
+600304.diff