Bug#458789: uscan: framework for using external scripts: qx/script/
Jakub Wilk
jwilk at debian.org
Sat Sep 5 18:30:12 UTC 2015
Hi Osamu!
* Osamu Aoki <osamu at debian.org>, 2015-09-05, 23:13:
>Let me propose a new generic mangle rule: qx/script/
>
>This mangles by feeding the target $string into the STDIN of script in
>the debian directory and reading its STDOUT back into the target
>$string.
I'm afraid this is no-no.
Please (and services like mentors.debian.net) run "uscan
--report-status" on untrusted source packages. This change would
introduce arbitrary code execution vulnerability.
>I just made a proof of concept code snippet which changes the start of
>uscan safe_replace($$) as follows:
Heh, the whole point of safe_replace() is to defuse Perl regexes, which
normally let you execute arbitrary code.
--
Jakub Wilk
More information about the devscripts-devel
mailing list