USN-847-1: Devscripts vulnerability

view full story

http://www.ubuntu.com – Referenced CVEs:  CVE-2009-2946 Description:  =========================================================== Ubuntu Security Notice USN-847-1 October 08, 2009 devscripts vulnerability CVE-2009-2946 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: devscripts 2.10.11ubuntu5.8.04.4 Ubuntu 8.10: devscripts 2.10.26ubuntu15.2 Ubuntu 9.04: devscripts 2.10.39ubuntu7.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Raphael Geissert discovered that uscan, a part of devscripts, did not properly sanitize its input when processing pathnames. If uscan processed a crafted filename for a file on a remote server, an attacker could execute arbitrary code with the privileges of the user invoking the program. (Distributions)