Hi Michael,
This part doesn't look good:
info=$(wget $url/mr/file/$hash/info -q -O-)
name=$(echo $info | grep -Po '"'"name"'"\s*:\s*"\K([^"]*)')
if test $name = $1_$2.dsc; then
path=$(echo $info | grep -Po '"'"path"'"\s*:\s*"\K([^"]*)')
date=$(echo $info | grep -Po '"'"first_seen"'"\s*:\s*"\K([^"]*)')
dget --quiet --download-only $dget
$url/archive/debian/$date$path/$1\_$2.dsc >&2
A MITM attacker could inject options to the dget command-line.
Conveniently for the attacker, --build seems to take precedence over
--download-only, so it can be abused to execute arbitrary code.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
