Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 1 Aug 2015 07:00:50 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: CVE Request: devscripts: licensecheck: arbitrary shell command
 injection

Hi

devscripts[0,1] contains a utility licensecheck, a simple license
checker for source files. It is as well included at least in Ubuntu
and Fedora[2].

Jonas Smedegaard[3] (and Jakub Wilk with a follow-up message) reported
that licensecheck is prone to arbitrary shell command injection via
shell metacharacters in filenames. The issue was introduced in
devscripts v2.15.5[4] and fixed in v2.15.7[5].

Could you please assign a CVE to identify this issue?

Regards,
Salvatore

 [0] https://packages.debian.org/devscripts
 [1] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/
 [2] http://pkgs.fedoraproject.org/cgit/devscripts.git/
 [3] https://bugs.debian.org/794260
 [4] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 
 [5] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ