Bug 1040949 (CVE-2013-7085)

Summary: CVE-2013-7085 devscripts: broken handling of filenames with whitespace in uscan
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: manisandro
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 19:45:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1040950    
Bug Blocks:    

Description Ratul Gupta 2013-12-12 11:54:50 UTC 
A flaw was reported in the uscan script of devscripts:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732006

From the bug report:

If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames  containing whitespace. This can be abused my malicious upstream to  delete files of their choice.

devscripts is not included in Fedora 18 or 19. It looks to be part of rawhide/the upcoming Fedora 20.

Although some Debian stuff is bundled in the rpmdevtools package, uscan does not appear to be.
Comment 1 Ratul Gupta 2013-12-12 11:55:42 UTC 
Created devscripts tracking bugs for this issue:

Affects: fedora-rawhide [bug 1040950]
Comment 2 Ratul Gupta 2013-12-12 12:16:11 UTC 
CVE Request:
http://seclists.org/oss-sec/2013/q4/491
Comment 3 Fedora Update System 2014-01-03 14:58:55 UTC 
devscripts-2.13.9-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Vincent Danen 2014-01-06 19:45:03 UTC 
According to the devscripts-2.13.9/debian/changelog file:

devscripts (2.13.9) unstable; urgency=low

...

  [ James McCoy ]
  * uscan:
    + Repack the tarball and verify it is a compressed archive without
      allowing arbitrary code execution.  Fixes CVE-2013-6888.
    + Use find's -exec to call rm directly instead of piping to xargs.
      (Closes: #732006, CVE-2013-7085)

This is fixed in current Fedora 20 and higher.