[Bug 933148] [NEW] Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Tyler Hicks tyhicks at canonical.com
Wed Feb 15 22:52:12 UTC 2012 

Public bug reported:

This request is to merge in security updates. From DSA-2409-1:

"Several vulnerabilities have been discovered in debdiff, a script used
to compare two Debian packages, which is part of the devscripts package.
The following Common Vulnerabilities and Exposures project ids have been
assigned to identify them:

CVE-2012-0210:

    Paul Wise discovered that due to insufficient input sanitising when
    processing .dsc and .changes files, it is possible to execute
    arbitrary code and disclose system information.

CVE-2012-0211:

    Raphael Geissert discovered that it is possible to inject or modify
    arguments of external commands when processing source packages with
    specially-named tarballs in the top-level directory of the .orig
    tarball, allowing arbitrary code execution.

CVE-2012-0212:

    Raphael Geissert discovered that it is possible to inject or modify
    arguments of external commands when passing as argument to debdiff
    a specially-named file, allowing arbitrary code execution."

** Affects: devscripts (Ubuntu)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to devscripts in Ubuntu.
https://bugs.launchpad.net/bugs/933148

Title:
  Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Status in “devscripts” package in Ubuntu:
  In Progress

Bug description:
  This request is to merge in security updates. From DSA-2409-1:

  "Several vulnerabilities have been discovered in debdiff, a script used
  to compare two Debian packages, which is part of the devscripts package.
  The following Common Vulnerabilities and Exposures project ids have been
  assigned to identify them:

  CVE-2012-0210:

      Paul Wise discovered that due to insufficient input sanitising when
      processing .dsc and .changes files, it is possible to execute
      arbitrary code and disclose system information.

  CVE-2012-0211:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when processing source packages with
      specially-named tarballs in the top-level directory of the .orig
      tarball, allowing arbitrary code execution.

  CVE-2012-0212:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when passing as argument to debdiff
      a specially-named file, allowing arbitrary code execution."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+subscriptions

More information about the foundations-bugs mailing list