arbitrary code execution in compare_versions
Bug #1353046 reported by
Marc Deslauriers
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| reportbug (Ubuntu) |
Fix Released
|
High
|
Scott Kitterman | ||
| Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
| Trusty |
Fix Released
|
High
|
Scott Kitterman | ||
| Utopic |
Fix Released
|
High
|
Scott Kitterman | ||
Bug Description
From DSA 2997-1:
Jakub Wilk discovered a remote command execution flaw in reportbug, a
tool to report bugs in the Debian distribution. A man-in-the-middle
attacker could put shell metacharacters in the version number allowing
arbitrary code execution with the privileges of the user running
reportbug.
CVE References
| Changed in reportbug (Ubuntu Lucid): | |
| status: | New → Confirmed |
| Changed in reportbug (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in reportbug (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in reportbug (Ubuntu Utopic): | |
| status: | New → Confirmed |
| Changed in reportbug (Ubuntu Precise): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
To post a comment you must log in.

I decided it would be better to version/use debian/changelog from Debian in Trusty as well for consistency of the versioning with Debian. Since there are no other changes, it seemed the most sane way to go about it.