Bug#732006: marked as done (uscan: broken handling of filenames with whitespace (CVE-2013-7085))

Mon, 23 Dec 2013 13:22:47 -0800 

Your message dated Mon, 23 Dec 2013 21:19:17 +0000
with message-id <e1vvcud-00011e...@franck.debian.org>
and subject line Bug#732006: fixed in devscripts 2.13.9
has caused the Debian Bug report #732006,
regarding uscan: broken handling of filenames with whitespace (CVE-2013-7085)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
732006: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732006
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: devscripts
Version: 2.13.5
Severity: grave
Tags: security
Justification: user security hole
If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames containing whitespace. This can be abused my malicious upstream to delete files of their choice. Proof of concept (that will cause attempt to delete /usr) is attached. 

--
Jakub Wilk

Attachment: foo-42.tar.gz
Description: Binary data

Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files-Excluded:
 cruft/*

--- End Message ---
--- Begin Message --- 
Source: devscripts
Source-Version: 2.13.9

We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <james...@debian.org> (supplier of updated devscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 23 Dec 2013 15:28:45 -0500
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.13.9
Distribution: unstable
Urgency: low
Maintainer: Devscripts Devel Team <devscripts-de...@lists.alioth.debian.org>
Changed-By: James McCoy <james...@debian.org>
Description: 
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 732006 732807
Changes: 
 devscripts (2.13.9) unstable; urgency=low
 .
   [ Martin Pitt ]
   * autopkgtest: Add "allow-stderr" restriction to avoid failing tests because
     of the HTTP server log on stderr.
 .
   [ James McCoy ]
   * uscan:
     + Repack the tarball and verify it is a compressed archive without
       allowing arbitrary code execution.  Fixes CVE-2013-6888.
     + Use find's -exec to call rm directly instead of piping to xargs.
       (Closes: #732006, CVE-2013-7085)
     + Follow tar's recommended security practices
       - Use --keep-old-files --no-overwrite-dir
       - Ensure parent directory of directory used for repacking archive isn't
         accessible to other users.
     + Fix handling of 'dirname' exclusions, so 'dirname/*' isn't required.
 .
   [ Salvatore Bonaccorso ]
   * uscan: Fix unitialized value warning when copyright is not in
     copyright-format 1.0.  (Closes: #732807)
Checksums-Sha1: 
 7cf6d01aada59211f64fbe6615047455b32a20d2 2123 devscripts_2.13.9.dsc
 3441585a591f4075f7b8d7aa8bf73a88697bdd6c 578684 devscripts_2.13.9.tar.xz
 d1527931206b5be9e5ebdea815457d9e2dd120c0 863220 devscripts_2.13.9_amd64.deb
Checksums-Sha256: 
 db88d5279c8141ac79a40746c930230dfe592d101d3e9bff7bb1d9fe2125893b 2123 
devscripts_2.13.9.dsc
 78e63e02ecd204ca8157693dc5969eddaf1312d26b572f5dd6ab646ef674c916 578684 
devscripts_2.13.9.tar.xz
 a56ebd01870f9125fe2e2b9dcd5fef089c1569e680e7c193f6a81ec568c55726 863220 
devscripts_2.13.9_amd64.deb
Files: 
 f600b7a860947ed4c62f800f4555a7b3 2123 devel optional devscripts_2.13.9.dsc
 a55e715d41cd45c465fa937683e8e5dd 578684 devel optional devscripts_2.13.9.tar.xz
 c46e70249eade032df77eb259b6161b9 863220 devel optional 
devscripts_2.13.9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSuKD/AAoJEN/mka4zG6Pb2nEP/1WZ2ZIMjoGBqTUcfLBOu6Bc
oxbrr8X4Lptu8/fiuamR7O6AC18PzR9DnAH5oI5f77sKuk2FzFivz5+dqXJoSz9n
7vXSTpe5wYWxdGGmRkS6xuORRBAhWrLUw+fAFQ62RKVvi/V6PMa/zS39TDlPerCc
LS2nmfYHuSQQv+mjs0wwpC9qJdm7uJhaVgefT8KX8tEgmH8WKzrnMyMmCo/nFmVj
IgZzjLKSnYmeSjuY8IkbwEv6ql8x1uPyzCrPyh4G/8RUH3uxEXspIXl0ZE6qIGMJ
kq5ntap3+CgPeEjVHtkPjLXWYMFbhWM5bL6tB43zuSKk48eyo3NNpLOoBsRKbt5y
Oj1khw9ACLfL8p3aFUjcPgF7B+Pq4FgvRGu4rOGM3ew8Cy5kCo6NaOo4zHIyNvz9
gsdQyym8K3DYHfHlNZLkSBczm+2uA4UmJCE4Z4tzyi5dmW+QMP2aylFKcPx5mNME
yVWGg0eF8XLSYmuRvHz7XYlYwEUE69RocdlLCxjvaIsW5hc6fb/SwIXU4ZKyUzyv
y/NsQytt1Q2plVEcwWudDoAwwfpas81FFQur/GmYJUNffHXBlPOrp1FFVuK2nCKK
AlgK6YrXpxzbuNUp5oSSVfrp9vPY9phDJtWkosSF9fNL3FiwZue6nXXdj/VinlTk
hpExeObUPv98TbZBYgQg
=wVIH
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to