openSUSE has issued an advisory on May 13: https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00029.html The issue is fixed upstream in 2.10.
Done!
Advisory: ======================== Updated signing-party package fixes security vulnerability: The gpg-key2ps tool in signing-party contained an unsafe shell call enabling shell injection via a User ID (CVE-2019-11627). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11627 https://lists.opensuse.org/opensuse-updates/2019-05/msg00085.html ======================== Updated packages in core/updates_testing: ======================== signing-party-2.10-1.mga7 from signing-party-2.10-1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
MGA7-64 Plasma on Lenovo B50 No istallation issues No idea what to test here. Googled and found https://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#overview which is hardly encouraging me that there is a simple wat to test this. Apparently installing this does not blow up anything else.
CC: (none) => herman.viaene
I generated a key using gpg, fingerprinted it, and signed it. Then generated the following partial using the utility mentioned above: $ gpg-key2ps 55CD3C892D36F8FD %!PS-Adobe-3.0 %%BoundingBox: 0 0 612 792 %%Title: %%Creator: gpg-key2ps %%CreationDate: Thu Dec 12 17:53:13 2019 %%Pages: 1 %%EndComments This is working as designed. Herman - we should get together and have a key signing party - when should I arrive. ;-)
Whiteboard: (none) => MGA7-64-OKCC: (none) => brtians1
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0386.html
Status: NEW => RESOLVEDResolution: (none) => FIXED