Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAA7hUgFLwK1dNUyCd4FZMFF_jjjfWDqK5jn5Pb4aS6wA58vTsw@mail.gmail.com>
Date: Mon, 6 Jan 2014 11:57:06 +0100
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Ratul Gupta <ratulg@...hat.com>
Subject: [notification] CVE-2013-6888: uscan: remote code execution

Hi,

Given the recent issues in uscan (part of devscripts) I took a look at
it and found a few other issues.
The bugs fixed by the following commit basically allow remote code
execution when uscan is used to download upstream's tarball. With and
without repacking (contrary to the commit message).

http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=02c6850d973e3e1246fde72edab27f03d63acc52

This was assigned CVE-2013-6888.

Two other changes were made that IMO should be considered as hardening:
http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=4b7e58ee6000cdefac0682601cec6ecce0137467
http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=b815aa438f018b5afc566eb403b0319a99a32995

At least I'm not aware of a way to exploit them.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.