Bug#731849: marked as done (uscan: arbitrary code execution)

Tue, 10 Dec 2013 20:21:53 -0800 

Your message dated Wed, 11 Dec 2013 04:18:29 +0000
with message-id <e1vqbfl-0006k7...@franck.debian.org>
and subject line Bug#731849: fixed in devscripts 2.13.8
has caused the Debian Bug report #731849,
regarding uscan: arbitrary code execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
731849: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: devscripts
Version: 2.13.5
Severity: grave
Tags: security
Justification: user security hole
The newfangled debian/copyright-driven repacking can be exploited by malicious upstream to execute arbitrary code. Proof of concept is attached. 

--
Jakub Wilk

Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files-Excluded:
 dummy

Attachment: foo-42.tar.gz
Description: Binary data


--- End Message ---
--- Begin Message --- 
Source: devscripts
Source-Version: 2.13.8

We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <james...@debian.org> (supplier of updated devscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Dec 2013 20:26:42 -0500
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.13.8
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <devscripts-de...@lists.alioth.debian.org>
Changed-By: James McCoy <james...@debian.org>
Description: 
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 731849 731885
Changes: 
 devscripts (2.13.8) unstable; urgency=medium
 .
   [ James McCoy ]
   * uscan: Fix arbitrary command execution when using USCAN_EXCLUSION.
     (Closes: #731849)
 .
   [ Adam D. Barratt ]
   * Honour USCAN_EXCLUSION.  (Closes: #731885)
Checksums-Sha1: 
 60f89f4d945eaa83b3a3072ad10b234837df9ab9 2123 devscripts_2.13.8.dsc
 40f5b1050bf0d01dca58c2563a90aee30bb21813 578112 devscripts_2.13.8.tar.xz
 f2fb36bbd7364d3d9dfd73b786eb36c1d463ad2b 862882 devscripts_2.13.8_amd64.deb
Checksums-Sha256: 
 c69e0ebb7a64ce61217b21ce7403f3487a376a771a515637ee4d9f1ea85e436b 2123 
devscripts_2.13.8.dsc
 cda1046f25c9171c08d950c60ed72e780ef6e8e98039e02250a68bf2e2e30237 578112 
devscripts_2.13.8.tar.xz
 1347ceeb8a4c843fa8d2095ce10d9e51a0c8d4ef5c3daff6f3dddc6ada49e00b 862882 
devscripts_2.13.8_amd64.deb
Files: 
 e54b34228f5ecc9d863ce25d1e79d5d6 2123 devel optional devscripts_2.13.8.dsc
 8430b75b912e28e982639c320631e06c 578112 devel optional devscripts_2.13.8.tar.xz
 c670ece56c358b8e24bbe25d2fa87d76 862882 devel optional 
devscripts_2.13.8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSp8CAAAoJEN/mka4zG6Pb0awP/1TGU4M2K7imOKGQBCPZwukP
7CbNdYmkBzVAS3DTCG/xy/rwTAiIALDQFu7Ji+cB/K+kfQU7M51Uu3VvlNPEnoaQ
DY/c8sL31Oxe5zv3X4lwTWZ5NO435+IIlnya/5sW4BVNZ41pX4Fw2U9akwM56+o2
aewpXGhFYCt0I5gOchB5Is04kWxnRkv6r9I5xotni5MXKPEn8oQpsgvjnyDq1uxg
oF1DMG4sM6JvRPZw9kMiV9UmKJVCfiGf4FgzsBsD+ctRkEWMNAPSBF/SaaOrWcFr
qRyKPT/pl1bhb+otoGCT3D2f3u1vLjMdBXDpn3Cl1VRedyiFC6WGnZxfvvH5B2ju
DfIhRHilttZTj+bmag/Te1p5Cn0LgibpGjKVAgv8H9hNIxaXGn7TYEcvOeFA0nds
tr9N9LEndbouYC7hJE0mYro+eMfpBzvwtNPpxB2rJ2UK1j2SgyGS0LMLiBWHYpYJ
X5GhfVqKRKTKpDzH/HXMKo0r8tJX0mnoO8yCcWZgzHfBgRTt34+55YVFXXGty/1Y
cerrQnMt8mhFXGgOMz/wy3FP0oq4tuPMbgIbO0zdXuvuhwRZWpWNleg0OE1rg8Ce
2AZmpQbhQLwt4KhoWFJFBpTpagogs3twxG3D0pm/et2kJaDUh/nBnUgHTkASLPcV
ltnCeSLdA3mhRaKvgCmh
=f/GK
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to