A flaw was reported in the uscan script of devscripts: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732006 From the bug report: If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames containing whitespace. This can be abused my malicious upstream to delete files of their choice. devscripts is not included in Fedora 18 or 19. It looks to be part of rawhide/the upcoming Fedora 20. Although some Debian stuff is bundled in the rpmdevtools package, uscan does not appear to be.
Created devscripts tracking bugs for this issue: Affects: fedora-rawhide [bug 1040950]
CVE Request: http://seclists.org/oss-sec/2013/q4/491
devscripts-2.13.9-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
According to the devscripts-2.13.9/debian/changelog file: devscripts (2.13.9) unstable; urgency=low ... [ James McCoy ] * uscan: + Repack the tarball and verify it is a compressed archive without allowing arbitrary code execution. Fixes CVE-2013-6888. + Use find's -exec to call rm directly instead of piping to xargs. (Closes: #732006, CVE-2013-7085) This is fixed in current Fedora 20 and higher.