[Bug 933148] Re: Please merge devscripts 2.11.4 (main) from Debian unstable (main)
Micah Gersten
launchpad at micahscomputing.com
Thu Feb 16 03:03:05 UTC 2012
Looks fine except that it's a merge from unstable, not testing and the
LP bug wasn't closed. I'm adding these things and will sponsor after a
test build, thanks for your work on this!
** Changed in: devscripts (Ubuntu)
Assignee: Micah Gersten (micahg) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to devscripts in Ubuntu.
https://bugs.launchpad.net/bugs/933148
Title:
Please merge devscripts 2.11.4 (main) from Debian unstable (main)
Status in “devscripts” package in Ubuntu:
Fix Released
Bug description:
This request is to merge in security updates. From DSA-2409-1:
"Several vulnerabilities have been discovered in debdiff, a script used
to compare two Debian packages, which is part of the devscripts package.
The following Common Vulnerabilities and Exposures project ids have been
assigned to identify them:
CVE-2012-0210:
Paul Wise discovered that due to insufficient input sanitising when
processing .dsc and .changes files, it is possible to execute
arbitrary code and disclose system information.
CVE-2012-0211:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when processing source packages with
specially-named tarballs in the top-level directory of the .orig
tarball, allowing arbitrary code execution.
CVE-2012-0212:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when passing as argument to debdiff
a specially-named file, allowing arbitrary code execution."
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+subscriptions
More information about the foundations-bugs
mailing list