Debian Security Advisory

DSA-1878-1 devscripts -- missing input sanitation

Date Reported:

02 Sep 2009

Affected Packages:

devscripts

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2009-2946.

More information:

Raphael Geissert discovered that uscan, a program to check for availability of new source code versions which is part of the devscripts package, runs Perl code downloaded from potentially untrusted sources to implement its URL and version mangling functionality. This update addresses this issue by reimplementing the relevant Perl operators without relying on the Perl interpreter, trying to preserve backwards compatibility as much as possible.

For the old stable distribution (etch), this problem has been fixed in version 2.9.26etch4.

For the stable distribution (lenny), this problem has been fixed in version 2.10.35lenny6.

For the unstable distribution (sid), this problem will be fixed in version 2.10.54.

We recommend that you upgrade your devscripts package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4.tar.gz; http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4.dsc
Alpha:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.9.26etch4_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Source:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6.tar.gz; http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6.dsc
Alpha:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_arm.deb
ARM EABI:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_armel.deb
HP Precision:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/d/devscripts/devscripts_2.10.35lenny6_sparc.deb

MD5 checksums of the listed files are available in the original advisory.