Bug#732006: uscan: broken handling of filenames with whitespace
On Sat, Dec 21, 2013 at 09:49:15PM -0500, James McCoy wrote: Thanks for the patch. We've addressed this by other means and are just pending some final review before uploading. Ok, I've remove the pushed topic branch again. Thanks for noticing that. I've made a change for this as well. Thanks. :) -- Stig -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732006: uscan: broken handling of filenames with whitespace
Control: tags -1 + patch I've pushed a proposed fix for this security issue to the packaging repo git://anonscm.debian.org/collab-maint/devscripts.git as the branch CVE-2013-7085-ruin-someones-yuletide One commit, see http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commit;h=f3b48a97d10fce5bb368b3af195b3c1cdb09e4b2 It's kind of a large commit for a small issue. Mostly because the wrap shell commands in backticks, and hope for the best approach is open for multiple potential issues, and I would like to remove them all. The change also fixes a second bug, where one could not exclude a non-empty top level directory, but had to use somedirectory/*. -- Stig Sandbeck Mathisen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732006: uscan: broken handling of filenames with whitespace
Control: tag -1 pending On Sun, Dec 22, 2013 at 01:17:01AM +0100, Stig Sandbeck Mathisen wrote: I've pushed a proposed fix for this security issue to the packaging repo git://anonscm.debian.org/collab-maint/devscripts.git as the branch CVE-2013-7085-ruin-someones-yuletide Thanks for the patch. We've addressed this by other means and are just pending some final review before uploading. The change also fixes a second bug, where one could not exclude a non-empty top level directory, but had to use somedirectory/*. Thanks for noticing that. I've made a change for this as well. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy james...@debian.org signature.asc Description: Digital signature
Bug#732006: uscan: broken handling of filenames with whitespace
Package: devscripts Version: 2.13.5 Severity: grave Tags: security Justification: user security hole If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames containing whitespace. This can be abused my malicious upstream to delete files of their choice. Proof of concept (that will cause attempt to delete /usr) is attached. -- Jakub Wilk foo-42.tar.gz Description: Binary data Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files-Excluded: cruft/*