~smi~ s Vaughn Raphael Geissert <[email protected]> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >- ------------------------------------------------------------------------- >Debian Security Advisory DSA-2549-1 [email protected] >http://www.debian.org/security/ Raphael Geissert >September 15, 2012 http://www.debian.org/security/faq >- ------------------------------------------------------------------------- > >Package : devscripts >Vulnerability : multiple >Problem type : local (remote) >Debian-specific: no >CVE ID : CVE-2012-2240 CVE-2012-2241 CVE-2012-2242 CVE-2012-3500 > >Multiple vulnerabilities have been discovered in devscripts, a set of >scripts to make the life of a Debian Package maintainer easier. >The following Common Vulnerabilities and Exposures project ids have >been assigned to identify them: > >CVE-2012-2240: > > Raphael Geissert discovered that dscverify does not perform > sufficient validation and does not properly escape arguments to > external commands, allowing a remote attacker (as when dscverify is > used by dget) to execute arbitrary code. > >CVE-2012-2241: > > Raphael Geissert discovered that dget allows an attacker to delete > arbitrary files when processing a specially-crafted .dsc or > .changes file, due to insuficient input validation. > >CVE-2012-2242: > > Raphael Geissert discovered that dget does not properly escape > arguments to external commands when processing .dsc and .changes > files, allowing an attacker to execute arbitrary code. > This issue is limited with the fix for CVE-2012-2241, and had > already been fixed in version 2.10.73 due to changes to the code, > without considering its security implications. > >CVE-2012-3500: > > Jim Meyering, Red Hat, discovered that annotate-output determines > the name of temporary named pipes in a way that allows a local > attacker to make it abort, leading to denial of service. > > >Additionally, a regression in the exit code of debdiff introduced in >DSA-2409-1 has been fixed. > >For the stable distribution (squeeze), these problems have been fixed in >version 2.10.69+squeeze4. > >For the testing distribution (wheezy), these problems will be fixed >soon. > >For the unstable distribution (sid), these problems will be fixed in >version 2.12.3. > >We recommend that you upgrade your devscripts packages. > >Further information about Debian Security Advisories, how to apply >these updates to your system and frequently asked questions can be >found at: http://www.debian.org/security/ > >Mailing list: [email protected] >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.12 (GNU/Linux) > >iEYEARECAAYFAlBUxE4ACgkQYy49rUbZzlpq0ACfaegRy0LXMZmnnJ/fwi2PH1iB >5XcAnjbRtMlPy1+PASvWy4/DI+Zm3PuR >=VmvQ >-----END PGP SIGNATURE----- > > >-- >To UNSUBSCRIBE, email to [email protected] >with a subject of "unsubscribe". Trouble? Contact [email protected] >Archive: http://lists.debian.org/[email protected] >
