Bug 1040266 (CVE-2013-7050)

Summary: CVE-2013-7050 devscripts: code execution flaw in uscan
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: manisandro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 22:04:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1040267    
Bug Blocks:    

Description Murray McAllister 2013-12-11 04:28:35 UTC 
A flaw was reported in the uscan script of devscripts:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849

From that bug report:

""
The newfangled debian/copyright-driven repacking can be exploited by
malicious upstream to execute arbitrary code.
""

The fix:

http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=91f05b5

devscripts is not included in Fedora 18 or 19. It looks to be part of rawhide/the upcoming Fedora 20.

Although some Debian stuff is bundled in the rpmdevtools package, uscan does not appear to be.
Comment 1 Murray McAllister 2013-12-11 04:30:37 UTC 
Created devscripts tracking bugs for this issue:

Affects: fedora-rawhide [bug 1040267]
Comment 2 Murray McAllister 2013-12-11 04:34:37 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2013/12/11/1
Comment 3 Vincent Danen 2013-12-13 18:16:02 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7050 to
the following vulnerability:

Name: CVE-2013-7050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7050
Assigned: 20131211
Reference: http://seclists.org/oss-sec/2013/q4/470
Reference: http://seclists.org/oss-sec/2013/q4/486
Reference: http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=91f05b5
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849
Reference: http://www.securityfocus.com/bid/64241

The get_main_source_dir function in scripts/uscan.pl in devscripts
before 2.13.8, when using USCAN_EXCLUSION, allows remote attackers to
execute arbitrary commands via shell metacharacters in a directory
name.
Comment 4 Fedora Update System 2013-12-21 02:17:19 UTC 
devscripts-2.13.5-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.