arbitrary code execution in compare_versions
Bug #1353046 reported by
Marc Deslauriers
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
reportbug (Ubuntu) |
Fix Released
|
High
|
Scott Kitterman | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
High
|
Scott Kitterman | ||
Utopic |
Fix Released
|
High
|
Scott Kitterman |
Bug Description
From DSA 2997-1:
Jakub Wilk discovered a remote command execution flaw in reportbug, a
tool to report bugs in the Debian distribution. A man-in-the-middle
attacker could put shell metacharacters in the version number allowing
arbitrary code execution with the privileges of the user running
reportbug.
CVE References
Changed in reportbug (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in reportbug (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in reportbug (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in reportbug (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in reportbug (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
To post a comment you must log in.
I decided it would be better to version/use debian/changelog from Debian in Trusty as well for consistency of the versioning with Debian. Since there are no other changes, it seemed the most sane way to go about it.