Please merge devscripts 2.11.4 (main) from Debian unstable (main)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
devscripts (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
This request is to merge in security updates. From DSA-2409-1:
"Several vulnerabilities have been discovered in debdiff, a script used
to compare two Debian packages, which is part of the devscripts package.
The following Common Vulnerabilities and Exposures project ids have been
assigned to identify them:
CVE-2012-0210:
Paul Wise discovered that due to insufficient input sanitising when
processing .dsc and .changes files, it is possible to execute
arbitrary code and disclose system information.
CVE-2012-0211:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when processing source packages with
specially-named tarballs in the top-level directory of the .orig
tarball, allowing arbitrary code execution.
CVE-2012-0212:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when passing as argument to debdiff
a specially-named file, allowing arbitrary code execution."
security vulnerability: | no → yes |
debdiff between devscripts 2.11.3ubuntu1 and merged 2.11.4ubuntu1