[Bug 933148] Re: Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Ubuntu Foundation's Bug Bot 933148 at bugs.launchpad.net
Thu Feb 16 00:13:23 UTC 2012 

The attachment "devscripts-2.11.3ubuntu1-to-2.11.4ubuntu1.debdiff" of
this bug report has been identified as being a patch in the form of a
debdiff.  The ubuntu-sponsors team has been subscribed to the bug report
so that they can review and hopefully sponsor the debdiff.  In the event
that this is in fact not a patch you can resolve this situation by
removing the tag 'patch' from the bug report and editing the attachment
so that it is not flagged as a patch.  Additionally, if you are member
of the ubuntu-sponsors team please also unsubscribe the team from this
bug report.

[This is an automated message performed by a Launchpad user owned by
Brian Murray.  Please contact him regarding any issues with the action
taken in this bug report.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to devscripts in Ubuntu.
https://bugs.launchpad.net/bugs/933148

Title:
  Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Status in “devscripts” package in Ubuntu:
  In Progress

Bug description:
  This request is to merge in security updates. From DSA-2409-1:

  "Several vulnerabilities have been discovered in debdiff, a script used
  to compare two Debian packages, which is part of the devscripts package.
  The following Common Vulnerabilities and Exposures project ids have been
  assigned to identify them:

  CVE-2012-0210:

      Paul Wise discovered that due to insufficient input sanitising when
      processing .dsc and .changes files, it is possible to execute
      arbitrary code and disclose system information.

  CVE-2012-0211:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when processing source packages with
      specially-named tarballs in the top-level directory of the .orig
      tarball, allowing arbitrary code execution.

  CVE-2012-0212:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when passing as argument to debdiff
      a specially-named file, allowing arbitrary code execution."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+subscriptions

More information about the foundations-bugs mailing list