[Bug 933148] Re: Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Launchpad Bug Tracker 933148 at bugs.launchpad.net
Thu Feb 16 03:10:12 UTC 2012 

This bug was fixed in the package devscripts - 2.11.4ubuntu1

---------------
devscripts (2.11.4ubuntu1) precise; urgency=low

  * Merge from Debian unstable (LP: #933148), remaining changes:
    - Demote Recommends to Suggests:
      + libcrypt-ssleay-perl: only needed for a corner case (uscan on SSL
        download sites), wasn't installed by default in previous releases
        either, and seems quite dead upstream; universe only.
      + debian-keyring: not useful enough in Ubuntu; universe only.
      + equivs: too much of a hack to install by default; universe only.
      + libsoap-lite-perl: only needed for one less common command ("select")
        for bts, which isn't useful for Ubuntu itself, and pulls in a lot of
        other universe Perl libraries; universe only.
    - scripts/debchange.{pl,1}:
      + Adjust --security template for Ubuntu.
      + Add -U/--upstream flag that forces original "just increment
        the end" behaviour; Ubuntu is upstream for some pieces of software.
      + Add --distributor= and DEBCHANGE_DISTRIBUTOR to override lsb_release
        output.
      + Default to "precise" as distribution.
      + Add "ubuntu1" to version string for new versions, with tweaks for
        special cases.
      + Add -R/--rebuild flag for Ubuntu's no-change rebuilds.
      + Don't use the last distribution in debian/changelog when doing
        "dch -r" on Ubuntu. "Just because it was last uploaded to jaunty
        doesn't mean that's the right thing to do now."
    - Add test/debchange.pl, test/Makefile: debchange test suite.
    - Rename XS-Vcs-* to XS-Debian-Vcs-*.

devscripts (2.11.4) unstable; urgency=high

  * Urgency "high" for security fixes.

  [ James McCoy ]
  * bts: Revert usertags' handling of more than one +/-/=.  Only the first one
    is relevant.

  [ Ryan Niebur ]
  * dget: when finding the sources.list entry for the repository to
    download a package from, match any port with the correct hostname
    because apt-cache policy does not output port numbers in URLs
    (Closes: #601951)

  [ Adam D. Barratt ]
  * debdiff:
    + Fix a regression in the handling of embedded tarballs (a side
      effect of the changes introduced to resolve #571528).
    + Extend the changes from #571528 to cover more situations where
      user or file input is passed to an external program.  Fixes
      CVE-2012-2012 (and any instance of CVE-2012-2011 not already
      covered by #571528).

  [ Paul Wise ]
  * suspicious-source: Also ignore mercurial and darcs VCS directories
    (Closes: #659966).

  [ Benjamin Drung ]
  * suspicious-source: Add inode/x-empty to whitelist of MIME types
    (Closes: #659946).

  [ Raphael Geissert ]
  * debdiff:
    + Remove undocumented feature treating extensionless files as if
      they were packages (Closes: #659559)
    + Add missing chdir for dpkg-source and remove extraneous quoting
      of --exclude parameters.
    + Fix CVE-2012-0210 (insufficient input sanitising reading .dsc
      and .changes files).
 -- Tyler Hicks <tyhicks at canonical.com>   Wed, 15 Feb 2012 16:40:33 -0600

** Changed in: devscripts (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2011

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2012

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to devscripts in Ubuntu.
https://bugs.launchpad.net/bugs/933148

Title:
  Please merge devscripts 2.11.4 (main) from Debian unstable (main)

Status in “devscripts” package in Ubuntu:
  Fix Released

Bug description:
  This request is to merge in security updates. From DSA-2409-1:

  "Several vulnerabilities have been discovered in debdiff, a script used
  to compare two Debian packages, which is part of the devscripts package.
  The following Common Vulnerabilities and Exposures project ids have been
  assigned to identify them:

  CVE-2012-0210:

      Paul Wise discovered that due to insufficient input sanitising when
      processing .dsc and .changes files, it is possible to execute
      arbitrary code and disclose system information.

  CVE-2012-0211:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when processing source packages with
      specially-named tarballs in the top-level directory of the .orig
      tarball, allowing arbitrary code execution.

  CVE-2012-0212:

      Raphael Geissert discovered that it is possible to inject or modify
      arguments of external commands when passing as argument to debdiff
      a specially-named file, allowing arbitrary code execution."

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/devscripts/+bug/933148/+subscriptions

More information about the foundations-bugs mailing list