[Bug 933148] Re: Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Tyler Hicks tyhicks at canonical.com
Wed Feb 15 23:25:52 UTC 2012 

debdiff between devscripts 2.11.4 and merged 2.11.4ubuntu1

** Patch added: "devscripts-2.11.4-to-2.11.4ubuntu1.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+attachment/2743812/+files/devscripts-2.11.4-to-2.11.4ubuntu1.debdiff

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0210

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0211

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0212

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to devscripts in Ubuntu.
https://bugs.launchpad.net/bugs/933148

Title:
  Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Status in “devscripts” package in Ubuntu:
  In Progress

Bug description:
  This request is to merge in security updates. From DSA-2409-1:

  "Several vulnerabilities have been discovered in debdiff, a script used
  to compare two Debian packages, which is part of the devscripts package.
  The following Common Vulnerabilities and Exposures project ids have been
  assigned to identify them:

  CVE-2012-0210:

      Paul Wise discovered that due to insufficient input sanitising when
      processing .dsc and .changes files, it is possible to execute
      arbitrary code and disclose system information.

  CVE-2012-0211:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when processing source packages with
      specially-named tarballs in the top-level directory of the .orig
      tarball, allowing arbitrary code execution.

  CVE-2012-0212:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when passing as argument to debdiff
      a specially-named file, allowing arbitrary code execution."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+subscriptions

More information about the foundations-bugs mailing list