Bug#732006: uscan: broken handling of filenames with whitespace
Jakub Wilk
jwilk at debian.org
Thu Dec 12 10:16:28 UTC 2013
Package: devscripts
Version: 2.13.5
Severity: grave
Tags: security
Justification: user security hole
If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames
containing whitespace. This can be abused my malicious upstream to
delete files of their choice. Proof of concept (that will cause attempt
to delete /usr) is attached.
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foo-42.tar.gz
Type: application/octet-stream
Size: 177 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20131212/40fa50df/attachment.obj>
-------------- next part --------------
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files-Excluded:
cruft/*
More information about the devscripts-devel
mailing list