Package: debhelper Version: 9.20131227ubuntu1 Severity: important Dear Maintainer,
When having ELF binaries that start with $, e.g. "/usr/lib/blah/$foobar", dh_shlibdeps silently ignores it, presumably due to the way it invokes "file" to check if the binary is an ELF. $ff=`file "$file"`; This seems like something that could potentially result in sh injection if it encounters a specially tailored filename. -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty'), (100, 'trusty-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14.2-hyper1 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages debhelper depends on: ii binutils 2.24-5ubuntu3 ii dh-apparmor 2.8.95~2430-0ubuntu5 ii dpkg 1.17.5ubuntu5.2 ii dpkg-dev 1.17.5ubuntu5.2 ii file 1:5.14-2ubuntu3 ii man-db 2.6.7.1-1 ii perl 5.18.2-2ubuntu1 ii po-debconf 1.0.16+nmu2ubuntu1 debhelper recommends no packages. Versions of packages debhelper suggests: ii dh-make 0.63 -- no debconf information -- Kind regards, Loong Jin
signature.asc
Description: Digital signature
