Source: manuskript Version: 0.11.0-2 Severity: normal Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for manuskript. CVE-2021-35196[0]: | ** <A HREF="https://cve.mitre.org/about/faqs.html#disputed_signify_in_ | cve_entry">DISPUTED</A> ** Manuskript through 0.12.0 allows remote | attackers to execute arbitrary code via a crafted settings.pickle file | in a project file, because there is insecure deserialization via the | pickle.load() function in settings.py. NOTE: the vendor's position is | that the product is not intended for opening an untrusted project | file. Note as stated in the CVE description, vendor and reporter do not seem to agree on the vulnerability state, and the vendor's position is that the product is not intended for opening an untrusted project file. We fill it for not to still track the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-35196 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35196 [1] https://github.com/olivierkes/manuskript/issues/891 [2] https://www.pizzapower.me/2021/06/20/arbitrary-code-execution-in-manuskript-0-12/ Regards, Salvatore
