Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 1 Aug 2015 07:00:50 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>
Subject: CVE Request: devscripts: licensecheck: arbitrary shell command


devscripts[0,1] contains a utility licensecheck, a simple license
checker for source files. It is as well included at least in Ubuntu
and Fedora[2].

Jonas Smedegaard[3] (and Jakub Wilk with a follow-up message) reported
that licensecheck is prone to arbitrary shell command injection via
shell metacharacters in filenames. The issue was introduced in
devscripts v2.15.5[4] and fixed in v2.15.7[5].

Could you please assign a CVE to identify this issue?



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ