oss-sec mailing list archives

CVE Request: devscripts: licensecheck: arbitrary shell command injection

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 1 Aug 2015 07:00:50 +0200

Hi

devscripts[0,1] contains a utility licensecheck, a simple license
checker for source files. It is as well included at least in Ubuntu
and Fedora[2].

Jonas Smedegaard[3] (and Jakub Wilk with a follow-up message) reported
that licensecheck is prone to arbitrary shell command injection via
shell metacharacters in filenames. The issue was introduced in
devscripts v2.15.5[4] and fixed in v2.15.7[5].

Could you please assign a CVE to identify this issue?

Regards,
Salvatore

 [0] https://packages.debian.org/devscripts
 [1] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/
 [2] http://pkgs.fedoraproject.org/cgit/devscripts.git/
 [3] https://bugs.debian.org/794260
 [4] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 
 [5] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

Current thread:

CVE Request: devscripts: licensecheck: arbitrary shell command injection Salvatore Bonaccorso (Jul 31)
- Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection cve-assign (Aug 01)