Debian: DSA-1878-1: New devscripts packages fix remote code execution

    Date02 Sep 2009
    CategoryDebian
    75
    Posted ByLinuxSecurity Advisories
    Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1878-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    	
    http://www.debian.org/security/                           Florian Weimer
    September 02, 2009                    http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : devscripts
    Vulnerability  : missing input sanitation
    Problem type   : remote
    Debian-specific: yes
    CVE Id(s)      : CVE-2009-2946
    
    Raphael Geissert discovered that uscan, a program to check for
    availability of new source code versions which is part of the
    devscripts package, runs Perl code downloaded from potentially
    untrusted sources to implement its URL and version mangling
    functionality.  This update addresses this issue by reimplementing the
    relevant Perl operators without relying on the Perl interpreter,
    trying to preserve backwards compatibility as much as possible.
    
    For the old stable distribution (etch), this problem has been fixed in
    version 2.9.26etch4.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 2.10.35lenny6.
    
    For the unstable distribution (sid), this problem will be fixed in
    version 2.10.54.
    
    We recommend that you upgrade your devscripts package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4.tar.gz
        Size/MD5 checksum:   432330 6d13d4ec0e161a62d0babd45b58e9f75
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4.dsc
        Size/MD5 checksum:      682 0cd547c5e78642f16762e0d687997563
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_alpha.deb
        Size/MD5 checksum:   389730 42458f68b3f75d87bb0397e6befde980
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_amd64.deb
        Size/MD5 checksum:   399454 8f648a32c698f15d4c6c2a90f9cdc19a
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_arm.deb
        Size/MD5 checksum:   396212 3187e3df12e04da5b2abb3aabf63f293
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_hppa.deb
        Size/MD5 checksum:   400058 bc84514b7d6e87c2bace8ee054cea2b6
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_i386.deb
        Size/MD5 checksum:   394688 35c9379172ffb63d89f512e7b46653db
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_ia64.deb
        Size/MD5 checksum:   391116 f0d5a42de7f2f36d1433c550655c9cc9
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_mips.deb
        Size/MD5 checksum:   396716 30793d09ae26fdd5fbcf47fc011fb7d9
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_mipsel.deb
        Size/MD5 checksum:   389640 750928f91a3066a5288f807cd5afa953
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_powerpc.deb
        Size/MD5 checksum:   391870 5b5b3fcbf001a6d390515fb64829ba80
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_s390.deb
        Size/MD5 checksum:   389540 40471968ab5a26bb0227b4954814a270
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_sparc.deb
        Size/MD5 checksum:   397816 5f773402f6ebf2b00170d46686ee0418
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6.tar.gz
        Size/MD5 checksum:   602179 4bc83fe370d730667e9fe8fe222bf115
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6.dsc
        Size/MD5 checksum:     1417 6cd189a95491bdd4ce32e908acd55cd8
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_alpha.deb
        Size/MD5 checksum:   509058 dd02c9afaf74b8633699b7e5aee3aef3
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_amd64.deb
        Size/MD5 checksum:   519036 3f274c25fabc3d22cb329c621dd0f630
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_arm.deb
        Size/MD5 checksum:   520644 e4ee996772f786c6883c779420125dda
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_armel.deb
        Size/MD5 checksum:   520300 eae935b7a416989bb2cddabae3870e37
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_hppa.deb
        Size/MD5 checksum:   524510 648acee4d3d9ed48eb2415ce36c5519e
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_i386.deb
        Size/MD5 checksum:   517734 f5e74325fdfda2cf7cfb690be807a1de
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_ia64.deb
        Size/MD5 checksum:   510044 bde1efc77895c33d6e0ff5e49fcea63f
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_mips.deb
        Size/MD5 checksum:   508946 2e3c9714a01e41655c467c2fd4f41f09
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_mipsel.deb
        Size/MD5 checksum:   508980 4cc636a2e0391f8405808b80529020a6
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_powerpc.deb
        Size/MD5 checksum:   511348 96628900942da87fed1133f6d97ed8ea
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_s390.deb
        Size/MD5 checksum:   508898 f6eaf845971c27830890021c1106c19b
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_sparc.deb
        Size/MD5 checksum:   523130 773b2a7f70551467601af5d1daf8a776
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"37","type":"x","order":"1","pct":51.39,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.89,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.72,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.