Debian Bug report logs -
#794365
devscripts: licensecheck: CVE-2015-5705: argument injection vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 2 Aug 2015 07:33:10 UTC
Severity: important
Tags: patch, pending, security
Found in version devscripts/2.15.5
Fixed in version devscripts/2.15.8
Done: James McCoy <jamessan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, jwilk@debian.org, dr@jones.dk, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#794365; Package devscripts.
(Sun, 02 Aug 2015 07:33:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, jwilk@debian.org, dr@jones.dk, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>.
(Sun, 02 Aug 2015 07:33:13 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: devscripts
Version: 2.15.5
Severity: important
Tags: security
Control: retitle 794260 devscripts: licensecheck: CVE-2015-5704: shell injection vulnerability
Hi,
On Fri, Jul 31, 2015 at 09:32:33PM +0200, Jakub Wilk wrote:
> (If the variable were expanded by shell, command injection wouldn't be even
> possible. You could still exploit argument injection, but that's less
> exciting.)
Let's open this to a new bug, since not fixed with #794260.
CVE-2015-5705 was assigned to the argument injection vulnerability,
see http://www.openwall.com/lists/oss-security/2015/08/01/7.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#794365; Package devscripts.
(Sun, 02 Aug 2015 07:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>.
(Sun, 02 Aug 2015 07:45:03 GMT) (full text, mbox, link).
Message #10 received at 794365@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi
Attached is proposed patch.
Regards,
Salvatore
[0001-licensecheck-Separate-command-line-options-for-file-.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 794365-submit@bugs.debian.org.
(Sun, 02 Aug 2015 07:45:03 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Sun, 02 Aug 2015 13:12:08 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#794365.
(Sun, 02 Aug 2015 13:12:11 GMT) (full text, mbox, link).
Message #17 received at 794365-submitter@bugs.debian.org (full text, mbox, reply):
tag 794365 pending
thanks
Hello,
Bug #794365 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/devscripts.git;a=commitdiff;h=d8f8fa1
---
commit d8f8fa1d8e4151fa62997cb74403f97ab0d7e1a2
Author: James McCoy <jamessan@debian.org>
Date: Sun Aug 2 09:03:43 2015 -0400
licensecheck: Separate filename from args in file call
This prevents the situation where $file happens to be a valid switch
for the file command (e.g. -C) which causes side-effects. If properly
setup, it's possible to cause file to traverse a symlink and overwrite a
file.
Closes: #794365, CVE-2015-5705
Signed-off-by: James McCoy <jamessan@debian.org>
diff --git a/debian/changelog b/debian/changelog
index 87ea8d3..71f2afa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+devscripts (2.15.8) UNRELEASED; urgency=medium
+
+ * licensecheck:
+ + Avoid argument injection which may cause file to overwrite a file
+ through symlink indirection. (Closes: #794365, CVE-2015-5705)
+
+ -- James McCoy <jamessan@debian.org> Sun, 02 Aug 2015 08:56:00 -0400
+
devscripts (2.15.7) unstable; urgency=medium
* licensecheck:
Reply sent
to James McCoy <jamessan@debian.org>:
You have taken responsibility.
(Sun, 02 Aug 2015 13:21:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 02 Aug 2015 13:21:10 GMT) (full text, mbox, link).
Message #22 received at 794365-close@bugs.debian.org (full text, mbox, reply):
Source: devscripts
Source-Version: 2.15.8
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 794365@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Aug 2015 09:06:05 -0400
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.15.8
Distribution: unstable
Urgency: high
Maintainer: Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 794365
Changes:
devscripts (2.15.8) unstable; urgency=high
.
* licensecheck:
+ Avoid argument injection which may cause file to overwrite a file
through symlink indirection. (Closes: #794365, CVE-2015-5705)
Checksums-Sha1:
54fbdf66a8a07d7a10bdf2d1ff3a46f00396a6c6 2257 devscripts_2.15.8.dsc
ce555ac7e16a93c0e7e7fd918177b1dd1982e201 620224 devscripts_2.15.8.tar.xz
e59a47c9f7e0e54ac11765528999b435ecdcd666 907708 devscripts_2.15.8_amd64.deb
Checksums-Sha256:
2ac9077fa8ee63fa16503b67d96f16ea7beba1554c11fbeb6d408fd316d15594 2257 devscripts_2.15.8.dsc
7d2df363f9a725096d281321e0c2a41e1613e645955c3956a78bd91715bc87ff 620224 devscripts_2.15.8.tar.xz
9a60c3e6479db0114cd25ca0fd40682329cfda4501501efba4287635cb6ec0c7 907708 devscripts_2.15.8_amd64.deb
Files:
81c0bf35f097acc3b6ec3ade2abb3375 2257 devel optional devscripts_2.15.8.dsc
38aa190b6978be31bfe4a15eefc54633 620224 devel optional devscripts_2.15.8.tar.xz
fc180d65f0d64a789746169eb58310ee 907708 devel optional devscripts_2.15.8_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJVvhZxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbC0IP+wSaz1ngXBypmK8xFDE03Mxs
wQI98NttZ/AZYGW4twfZnak++a1ZVAt16PVbwugYGVq5bGNn1eT9eCUYV7Tfv0sM
q5BVpOSNnmxVSGyIsalXW3SdWS1DNurxzytplTR7Kc1TBj/TIgaCIf51vc55vaeC
zyPIWzINdPi5lspl9LndDhdkyokC2E5NxeDoBgi4CEE/AelpC7Dg7I1odtHyMOdo
F98puXi/2XraLdzowOUJfrjxleAqjdhTkM9n8rrMb8qF21Y+EgsxkzfmkgNaa5dk
p1TXBS+e9j/DgVyvXUG7hLQi1DCT2iSEHOGt8fubbNcAWnuU/6Gn5VhkcHtRuw9Q
SWYKXK2j//7hYtNsenUGffse8tDF9p7e1VSYfUUrIkTcS6prqJV28c2kJdmKVH2W
g0E01cPu4XCStOLXCorlimd6C8f8oJKh+JcsK0AsONusqNq2CCpe6BKmQEHrdmJX
Z9+YrB3U4h4weSw0531Y/OJIyyHsZDn3PNPD1vZYAovokMJyvrQCTU8lJy1BJHWk
weu6b004q4Ki19fJxUMU7GtfPauhmqO22zB9d19UP7fDDjiXcoTenVrBTGfNwObc
A2biOCCVk1qrqj2MXjA6j1RjqiMMF0URWdNANQ9PlBU91JEznAARqfj40lv7qhBp
ESPxSc3YMLcXFo2dGh+X
=zlwf
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from James McCoy <jamessan@debian.org>
to control@bugs.debian.org.
(Sun, 09 Aug 2015 17:57:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#794365.
(Sun, 09 Aug 2015 17:57:07 GMT) (full text, mbox, link).
Message #27 received at 794365-submitter@bugs.debian.org (full text, mbox, reply):
tag 794365 pending
thanks
Hello,
Bug #794365 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/devscripts.git;a=commitdiff;h=1266e1f
---
commit 1266e1f7e2fbdd3495be8df4decf4b1dc90e1d86
Merge: e027a0d cd4c34b
Author: James McCoy <jamessan@debian.org>
Date: Sat Aug 8 22:36:57 2015 -0400
Merge tag 'v2.15.8' into jessie-backports
tagging package devscripts version 2.15.8
diff --cc debian/changelog
index bd69d08,c10f75d..0b1a130
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,9 -1,70 +1,76 @@@
+ devscripts (2.15.8) unstable; urgency=high
+
+ * licensecheck:
+ + Avoid argument injection which may cause file to overwrite a file
+ through symlink indirection. (Closes: #794365, CVE-2015-5705)
+
+ -- James McCoy <jamessan@debian.org> Sun, 02 Aug 2015 09:06:05 -0400
+
+ devscripts (2.15.7) unstable; urgency=medium
+
+ * licensecheck:
+ + Use Dpkg::IPC to run file to avoid shell injection.
+ (Closes: #794260, CVE-2015-5704)
+ + Change whitelist of mime types to greylist of encodings. Restores
+ ability to check files with mime types like text/x-c++ and
+ application/postscript. Thanks to Jonas Smedegaard for the patch.
+ (Closes: #794282)
+ + Fix an endless loop in parsing certain files. Thanks to Jonas
+ Smedegaard for the patch. (Closes: #794263)
+
+ -- James McCoy <jamessan@debian.org> Fri, 31 Jul 2015 22:50:33 -0400
+
+ devscripts (2.15.6) unstable; urgency=medium
+
+ [ Paul Wise ]
+ * Adjust wording of common suffixes passed to repacksuffix
+
+ [ James McCoy ]
+ * debcheckout:
+ + Handle Launchpad Git URLs. Thanks to Colin Watson for the patch.
+ (Closes: #788777)
+ + Handle authenticated checkout when Vcs-Darcs is missing the root /darcs
+ directory.
+ * checkbashisms:
+ + Fix unescaped, literal curly brace in regex, causing FTBFS with Perl
+ 5.22. Thanks to Roderich Schupp for the patch. (Closes: #788707)
+ + Improve detection of %q/%b to include when it is at the start of the
+ string. Thanks to Eero Vuojolahti. (Closes: #793396)
+ * wnpp-check:
+ + Use getopt to handle argument parsing.
+ + Add --exact switch to match the exact package name instead of a
+ substring. Thanks to Balasankar C. (Closes: #791918)
+ * Replace manual parsing of dpkg-buildpackage's output with the use of its
+ -S switch or the Dpkg::Changelog::Parse Perl module.
+ + Bump minimum required version of dpkg-dev to 1.17.0
+ * dget: Support arch-qualified package names. “dget foo:i386” will download
+ the foo binary package for Arch: i386. “dget --all srcfoo:i386” will
+ download all binary packages from the srcfoo source package that are
+ either Arch: all or Arch: any/i386. (Closes: #792917)
+ * uscan: Only check for presence of signing key when downloading a new
+ upstream archive. (Closes: #790047)
+
+ [ Dominique Dumont ]
+ * licensecheck:
+ * extract © owner when © and owners are specified on 2 or more lines.
+ * fix digia © and license extraction (Closes: #789074)
+ * fix BSD-2-clause detection
+ * parse assembly files with suffix .S
+ * warn if scanned file is not a text file (Closes: #791756)
+
+ [ Mattia Rizzolo ]
+ * uscan: Suggest the correct syntax in the manpage for the dversionmangle
+ option, escaping a '+'. Thanks to Martin Erik Werner for reporting.
+ (Closes: #789389)
+
+ -- James McCoy <jamessan@debian.org> Mon, 27 Jul 2015 23:12:23 -0400
+
+devscripts (2.15.5~bpo8+1) jessie-backports; urgency=medium
+
+ * Rebuild for jessie-backports.
+
+ -- James McCoy <jamessan@debian.org> Wed, 24 Jun 2015 21:59:43 -0400
+
devscripts (2.15.5) unstable; urgency=low
[ Cyril Brulebois ]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Sep 2015 07:30:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:53:34 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon