From the Debian bug: <snip> unp doesn't escape filenames properly. Try this: touch empty zip \`ls\`.zip empty unp \`ls\`.zip and it will give you a directory listing. This means that any application using 'unp' for a generic decompression utility might be vulnerable to a filename-based injection attack. </snip> Fixed in 1.0.13.
Looks valid, thanks for reporting. Hanno, please bump.
Bump done, amd64 and x86 please stabilize.
====amd64==== Amd64 seems to be ok. The vulnerability is not reproducable and the rest of the program works as expected. Portage 2.1.3.19 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64) ================================================================= System uname: 2.6.23-gentoo-r3 x86_64 AMD Athlon(tm) 64 Processor 3400+ Timestamp of tree: Mon, 24 Dec 2007 01:47:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe" DISTDIR="/distfiles" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict nostrip parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/overlay" SYNC="rsync://kv80/gentoo-portage" USE="X acl acpi aim alsa amd64 arts bash-completion berkdb bitmap-fonts branding cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv imap ipv6 isdnlog jpeg kde kerberos mad midi mikmod mmx mp3 mpeg mudflap mysql mysqli ncurses nls nptl nptlonly nvidia ogg opengl openmp oss pam pcre pdf perl png pppd python qt qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sqlite3 sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vim vim-syntax vorbis xine xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable, thanks gentoofan
x86 stable, last arch!
Seems the patch introduced regressions -- "now it seems unp can't handle filenames with whitespace anymore" unp (1.0.14) unstable; urgency=low . * Stop using libstring-shellquote-perl, it breaks things (closes: #457134) * Code review and rewrite of potentially dangerous methods, using environment variables and shell arguments to pass the variables to called commands (now really closes: #448437) Hanno, can you confirm that?
archs, regressions found, please stabilize 1.0.14.
x86 stable
amd64 done again..
security, I think this is ready for glsa
yes, filed. Thanks.
GLSA200801-01 -- happy new year! Thanks to everyone.
