Fsniper doesn't safely check file names.

debdiff attached

Looking at your debdiff I noticed that you have:

(Closes LP:#403116)

However, the correct for closing the Launchpad bug includes a space so you'll really want:

(Closes LP: #403116)

Of course this is also true for the other bug in the changelog. Thanks!

Oops! Thanks, replacement debdiff attached.

Hi! Thanks for the debdiff. For Karmic, the MOTU sponsors should be able to handle this. For jaunty, we need to follow https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Most notably, https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation mentions that the pocket must be jaunty-security, and the jaunty version should be -0ubuntu1.1 (to not conflict with karmic's updates). Generally, we try to avoid adding patching systems to already published sources. It does make sense for karmic, though.

Thanks Kees.

Jaunty debdiff attached with version -0ubuntu1.1 and packet jaunty-security.

Marking 'In Progress' per https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

For Jaunty it is preferred that you do not add a patch system since it introduces more changes to the package than are necessary. If you insist on adding the patch system, please follow https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines. As it is now, there is no attribution, origination of patches or upstream references anywhere in the debdiff, which makes it difficult to review. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for more details. Please update, resubmit and mark the bug back to 'In Progress'. Thanks for your work on this!

Attached is a further debdiff with modified changelog, and richer headers in the patches - as per PatchTaggingGuidelines.

If this is suitable, and gets an "Ack" I will attach a suitable debdiff for Karmic. (or should it just be merged?).

Thanks for the debdiff. The jaunty update is currently building.

Please get a MOTU to sponsor the karmic upload to preserve the upgrade path.

This bug was fixed in the package fsniper - 1.3.1-0ubuntu1.1

---------------
fsniper (1.3.1-0ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Permissions of PID file are set on current
    umask rather than 600. (LP: #403116)
    - debian/patches/pid_file_permissons_to_600.patch: adjust
      src/main.c to set permissions of PID to 600. Based on
      upstream patch.
  * SECURITY UPDATE: Quotation marks not safely checked in
    filenames. (LP: #403113)
    - debian/patches/singlequote_doublequote_issue.patch:
      adjust src/handle_event.c to include checking for both
      single and double quotation marks. Based on upstream
      patch.
  * Added quilt support to manage patches.
  * Bumped Debian package Standards-Version to 3.8.2

 -- Dave Walker (Daviey) <email address hidden> Fri, 24 Jul 2009 21:59:07 +0100

This bug was fixed in the package fsniper - 1.3.1-0ubuntu2

---------------
fsniper (1.3.1-0ubuntu2) karmic; urgency=low

  * SECURITY UPDATE: Permissions of PID file are set on current
    umask rather than 600. (LP: #403116)
    - debian/patches/pid_file_permissons_to_600.patch: adjust
      src/main.c to set permissions of PID to 600. Based on
      upstream patch.
  * SECURITY UPDATE: Quotation marks not safely checked in
    filenames. (LP: #403113)
    - debian/patches/singlequote_doublequote_issue.patch:
      adjust src/handle_event.c to include checking for both
      single and double quotation marks. Based on upstream
      patch.
  * Added quilt support to manage patches.
  * Bumped Debian package Standards-Version to 3.8.2

 -- Dave Walker (Daviey) <email address hidden> Fri, 24 Jul 2009 21:59:07 +0100