oss-sec mailing list archives

CVE request: devscripts (uscan) command execution flaw

From: Murray McAllister <mmcallis () redhat com>
Date: Wed, 11 Dec 2013 15:03:10 +1100

Good morning,

A flaw was reported in the uscan script of devscripts:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849

From that bug report:


""
The newfangled debian/copyright-driven repacking can be exploited by
malicious upstream to execute arbitrary code.
""

The fix:

http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=91f05b5

Can a CVE please be assigned? (I guess this is not Debian specific,
devscripts looks like it is/will be in the next Fedora release.)

Thanks!

--
Murray McAllister / Red Hat Security Response Team

Current thread:

CVE request: devscripts (uscan) command execution flaw Murray McAllister (Dec 10)
- Re: CVE request: devscripts (uscan) command execution flaw Murray McAllister (Dec 10)
- Re: CVE request: devscripts (uscan) command execution flaw cve-assign (Dec 11)