Date: Sat, 1 Aug 2015 07:00:50 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: CVE Request: devscripts: licensecheck: arbitrary shell command injection Hi devscripts[0,1] contains a utility licensecheck, a simple license checker for source files. It is as well included at least in Ubuntu and Fedora. Jonas Smedegaard (and Jakub Wilk with a follow-up message) reported that licensecheck is prone to arbitrary shell command injection via shell metacharacters in filenames. The issue was introduced in devscripts v2.15.5 and fixed in v2.15.7. Could you please assign a CVE to identify this issue? Regards, Salvatore  https://packages.debian.org/devscripts  https://anonscm.debian.org/cgit/collab-maint/devscripts.git/  http://pkgs.fedoraproject.org/cgit/devscripts.git/  https://bugs.debian.org/794260  https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0  https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.