Date: Sat, 1 Aug 2015 07:00:50 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: CVE Request: devscripts: licensecheck: arbitrary shell command injection Hi devscripts[0,1] contains a utility licensecheck, a simple license checker for source files. It is as well included at least in Ubuntu and Fedora. Jonas Smedegaard (and Jakub Wilk with a follow-up message) reported that licensecheck is prone to arbitrary shell command injection via shell metacharacters in filenames. The issue was introduced in devscripts v2.15.5 and fixed in v2.15.7. Could you please assign a CVE to identify this issue? Regards, Salvatore  https://packages.debian.org/devscripts  https://anonscm.debian.org/cgit/collab-maint/devscripts.git/  http://pkgs.fedoraproject.org/cgit/devscripts.git/  https://bugs.debian.org/794260  https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0  https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.