Package: devscripts Version: 2.13.5 Severity: grave Tags: security Justification: user security hole
If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames containing whitespace. This can be abused my malicious upstream to delete files of their choice. Proof of concept (that will cause attempt to delete /usr) is attached.
-- Jakub Wilk
foo-42.tar.gz
Description: Binary data
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files-Excluded: cruft/*
