[Bug 933148] Re: Please merge devscripts 2.11.4 (main) from Debian unstable (main)
Stefano Rivera
launchpad at rivera.za.net
Wed Feb 15 23:02:56 UTC 2012
** This bug has been flagged as a security vulnerability
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to devscripts in Ubuntu.
https://bugs.launchpad.net/bugs/933148
Title:
Please merge devscripts 2.11.4 (main) from Debian unstable (main)
Status in “devscripts” package in Ubuntu:
In Progress
Bug description:
This request is to merge in security updates. From DSA-2409-1:
"Several vulnerabilities have been discovered in debdiff, a script used
to compare two Debian packages, which is part of the devscripts package.
The following Common Vulnerabilities and Exposures project ids have been
assigned to identify them:
CVE-2012-0210:
Paul Wise discovered that due to insufficient input sanitising when
processing .dsc and .changes files, it is possible to execute
arbitrary code and disclose system information.
CVE-2012-0211:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when processing source packages with
specially-named tarballs in the top-level directory of the .orig
tarball, allowing arbitrary code execution.
CVE-2012-0212:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when passing as argument to debdiff
a specially-named file, allowing arbitrary code execution."
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+subscriptions
More information about the foundations-bugs
mailing list