Bug 855441 (CVE-2013-7085) - VUL-0: CVE-2013-7085: devscripts: broken handling of filenames with whitespace in uscan
Summary: VUL-0: CVE-2013-7085: devscripts: broken handling of filenames with whitespac...
Status: RESOLVED FIXED
Alias: CVE-2013-7085
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Forgotten User uM1-kgIFHl
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-13 19:06 UTC by Alexander Bergmann
Modified: 2015-04-01 12:27 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-12-13 19:06:18 UTC 
OSS:11690

A flaw is reported in the uscan script of devscripts:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732006

From the bug:

If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames 
containing whitespace. This can be abused my malicious upstream to 
delete files of their choice.

CVE-2013-7085 was assigned to this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7085
http://comments.gmane.org/gmane.comp.security.oss.general/11690
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732006
https://bugzilla.redhat.com/show_bug.cgi?id=1040949
Comment 1 Swamp Workflow Management 2013-12-16 23:00:13 UTC 
bugbot adjusting priority
Comment 2 Thomas Biege 2014-01-09 15:54:36 UTC 
fixes can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732006
Comment 3 Johannes Segitz 2015-04-01 12:27:08 UTC 
not vulnerable in openSUSE>=13.1