Debian Bug report logs -
#731849
uscan: arbitrary code execution (CVE-2013-7050)
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Tue, 10 Dec 2013 13:45:01 UTC
Severity: grave
Tags: confirmed, security
Found in version devscripts/2.13.5
Fixed in version devscripts/2.13.8
Done: James McCoy <jamessan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#731849; Package devscripts.
(Tue, 10 Dec 2013 13:45:05 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: devscripts
Version: 2.13.5
Severity: grave
Tags: security
Justification: user security hole
The newfangled debian/copyright-driven repacking can be exploited by
malicious upstream to execute arbitrary code. Proof of concept is
attached.
--
Jakub Wilk
[copyright (text/plain, attachment)]
[foo-42.tar.gz (application/octet-stream, attachment)]
Added tag(s) confirmed.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Tue, 10 Dec 2013 16:51:08 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Wed, 11 Dec 2013 00:09:04 GMT) (full text, mbox, link).
Message sent on
to Jakub Wilk <jwilk@debian.org>:
Bug#731849.
(Wed, 11 Dec 2013 00:09:08 GMT) (full text, mbox, link).
Message #10 received at 731849-submitter@bugs.debian.org (full text, mbox, reply):
tag 731849 pending
thanks
Hello,
Bug #731849 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/devscripts.git;a=commitdiff;h=91f05b5
---
commit 91f05b5cc300af669b31a6f6b44d53b7d6817288
Author: James McCoy <jamessan@debian.org>
Date: Tue Dec 10 19:06:33 2013 -0500
uscan: Fix arbitrary command execution when using USCAN_EXCLUSION
Closes: #731849
Signed-off-by: James McCoy <jamessan@debian.org>
diff --git a/debian/changelog b/debian/changelog
index 2514d11..245f21c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,18 @@
-devscripts (2.13.7) unstable; urgency=medium
+devscripts (2.13.8) UNRELEASED; urgency=medium
[ James McCoy ]
- * Fix imports of Devscripts::Compression. (Closes: #731847)
+ * uscan: Fix arbitrary command execution when using USCAN_EXCLUSION.
+ (Closes: #731849)
[ Adam D. Barratt ]
* Honour USCAN_EXCLUSION. (Closes: #731885)
+ -- James McCoy <jamessan@debian.org> Tue, 10 Dec 2013 19:02:04 -0500
+
+devscripts (2.13.7) unstable; urgency=medium
+
+ * Fix imports of Devscripts::Compression. (Closes: #731847)
+
-- James McCoy <jamessan@debian.org> Tue, 10 Dec 2013 07:49:54 -0500
devscripts (2.13.6) unstable; urgency=medium
Reply sent
to James McCoy <jamessan@debian.org>:
You have taken responsibility.
(Wed, 11 Dec 2013 04:21:09 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Dec 2013 04:21:09 GMT) (full text, mbox, link).
Message #15 received at 731849-close@bugs.debian.org (full text, mbox, reply):
Source: devscripts
Source-Version: 2.13.8
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 731849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Dec 2013 20:26:42 -0500
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.13.8
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 731849 731885
Changes:
devscripts (2.13.8) unstable; urgency=medium
.
[ James McCoy ]
* uscan: Fix arbitrary command execution when using USCAN_EXCLUSION.
(Closes: #731849)
.
[ Adam D. Barratt ]
* Honour USCAN_EXCLUSION. (Closes: #731885)
Checksums-Sha1:
60f89f4d945eaa83b3a3072ad10b234837df9ab9 2123 devscripts_2.13.8.dsc
40f5b1050bf0d01dca58c2563a90aee30bb21813 578112 devscripts_2.13.8.tar.xz
f2fb36bbd7364d3d9dfd73b786eb36c1d463ad2b 862882 devscripts_2.13.8_amd64.deb
Checksums-Sha256:
c69e0ebb7a64ce61217b21ce7403f3487a376a771a515637ee4d9f1ea85e436b 2123 devscripts_2.13.8.dsc
cda1046f25c9171c08d950c60ed72e780ef6e8e98039e02250a68bf2e2e30237 578112 devscripts_2.13.8.tar.xz
1347ceeb8a4c843fa8d2095ce10d9e51a0c8d4ef5c3daff6f3dddc6ada49e00b 862882 devscripts_2.13.8_amd64.deb
Files:
e54b34228f5ecc9d863ce25d1e79d5d6 2123 devel optional devscripts_2.13.8.dsc
8430b75b912e28e982639c320631e06c 578112 devel optional devscripts_2.13.8.tar.xz
c670ece56c358b8e24bbe25d2fa87d76 862882 devel optional devscripts_2.13.8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCgAGBQJSp8CAAAoJEN/mka4zG6Pb0awP/1TGU4M2K7imOKGQBCPZwukP
7CbNdYmkBzVAS3DTCG/xy/rwTAiIALDQFu7Ji+cB/K+kfQU7M51Uu3VvlNPEnoaQ
DY/c8sL31Oxe5zv3X4lwTWZ5NO435+IIlnya/5sW4BVNZ41pX4Fw2U9akwM56+o2
aewpXGhFYCt0I5gOchB5Is04kWxnRkv6r9I5xotni5MXKPEn8oQpsgvjnyDq1uxg
oF1DMG4sM6JvRPZw9kMiV9UmKJVCfiGf4FgzsBsD+ctRkEWMNAPSBF/SaaOrWcFr
qRyKPT/pl1bhb+otoGCT3D2f3u1vLjMdBXDpn3Cl1VRedyiFC6WGnZxfvvH5B2ju
DfIhRHilttZTj+bmag/Te1p5Cn0LgibpGjKVAgv8H9hNIxaXGn7TYEcvOeFA0nds
tr9N9LEndbouYC7hJE0mYro+eMfpBzvwtNPpxB2rJ2UK1j2SgyGS0LMLiBWHYpYJ
X5GhfVqKRKTKpDzH/HXMKo0r8tJX0mnoO8yCcWZgzHfBgRTt34+55YVFXXGty/1Y
cerrQnMt8mhFXGgOMz/wy3FP0oq4tuPMbgIbO0zdXuvuhwRZWpWNleg0OE1rg8Ce
2AZmpQbhQLwt4KhoWFJFBpTpagogs3twxG3D0pm/et2kJaDUh/nBnUgHTkASLPcV
ltnCeSLdA3mhRaKvgCmh
=f/GK
-----END PGP SIGNATURE-----
Changed Bug title to 'uscan: arbitrary code execution (CVE-2013-7050)' from 'uscan: arbitrary code execution'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 12 Dec 2013 06:15:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 13 Jan 2014 07:34:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:48:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon