A flaw was reported in the uscan script of devscripts: http://www.debian.org/security/2014/dsa-2836 From the bug report: An attacker controlling a website from which uscan would attempt to download a source tarball could execute arbitrary code with the privileges of the user running uscan.
Created devscripts tracking bugs for this issue: Affects: fedora-20 [bug 1048700]
From [1]: "[...] these problems have been fixed in version 2.13.9". F20+ ships devscripts-2.13.9. Closing bug. [1] http://www.debian.org/security/2014/dsa-2836
While true, you closed with an incorrect status. Also, a better reference is this note in the debian/changelog file (since we cannot know whether the advisory noted above is a patched 2.13.9 or not): devscripts (2.13.9) unstable; urgency=low ... [ James McCoy ] * uscan: + Repack the tarball and verify it is a compressed archive without allowing arbitrary code execution. Fixes CVE-2013-6888.
http://seclists.org/oss-sec/2014/q1/265 notes to more hardening commits: http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=4b7e58ee6000cdefac0682601cec6ecce0137467 http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff;h=b815aa438f018b5afc566eb403b0319a99a32995 But they look to already be in devscripts-2.14.1-1.fc20.src.rpm, so no action
(In reply to Murray McAllister from comment #4) > http://seclists.org/oss-sec/2014/q1/265 notes to more hardening commits: > > http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commitdiff; > h=4b7e58ee6000cdefac0682601cec6ecce0137467 This one was assigned CVE-2013-7325. Reference: http://seclists.org/oss-sec/2014/q1/334