oss-sec mailing list archives
[notification] CVE-2013-6888: uscan: remote code execution
From: Raphael Geissert <geissert () debian org>
Date: Mon, 6 Jan 2014 11:57:06 +0100
Hi, Given the recent issues in uscan (part of devscripts) I took a look at it and found a few other issues. The bugs fixed by the following commit basically allow remote code execution when uscan is used to download upstream's tarball. With and without repacking (contrary to the commit message). http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=02c6850d973e3e1246fde72edab27f03d63acc52 This was assigned CVE-2013-6888. Two other changes were made that IMO should be considered as hardening: http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=4b7e58ee6000cdefac0682601cec6ecce0137467 http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=b815aa438f018b5afc566eb403b0319a99a32995 At least I'm not aware of a way to exploit them. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- [notification] CVE-2013-6888: uscan: remote code execution Raphael Geissert (Jan 06)
- Re: [notification] CVE-2013-6888: uscan: remote code execution Jakub Wilk (Feb 06)
- Re: [notification] CVE-2013-6888: uscan: remote code execution cve-assign (Feb 12)
- Re: [notification] CVE-2013-6888: uscan: remote code execution Jakub Wilk (Feb 06)