9.3 - DSA-2409

Executive Summary

Summary
Title	devscripts security update

Informations
Name	DSA-2409	First vendor Publication	2012-02-15
Vendor	Debian	Last vendor Modification	2012-02-15
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities have been discovered in debdiff, a script used to compare two Debian packages, which is part of the devscripts package. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them:

CVE-2012-0210:

Paul Wise discovered that due to insufficient input sanitising when processing .dsc and .changes files, it is possible to execute arbitrary code and disclose system information.

CVE-2012-0211:

Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when processing source packages with specially-named tarballs in the top-level directory of the .orig tarball, allowing arbitrary code execution.

CVE-2012-0212:

Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when passing as argument to debdiff a specially-named file, allowing arbitrary code execution.

For the stable distribution (squeeze), these problems have been fixed in version 2.10.69+squeeze2.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems will be fixed in version 2.11.4.

We recommend that you upgrade your devscripts packages.

Original Source

Url : http://www.debian.org/security/2012/dsa-2409

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14780

Oval ID:	oval:org.mitre.oval:def:14780
Title:	DSA-2409-1 devscripts -- several
Description:	Several vulnerabilities have been discovered in debdiff, a script used to compare two Debian packages, which is part of the devscripts package. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2012-0210: Paul Wise discovered that due to insufficient input sanitising when processing .dsc and .changes files, it is possible to execute arbitrary code and disclose system information. CVE-2012-0211: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when processing source packages with specially-named tarballs in the top-level directory of the .orig tarball, allowing arbitrary code execution. CVE-2012-0212: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when passing as argument to debdiff a specially-named file, allowing arbitrary code execution.
Family:	unix	Class:	patch
Reference(s):	DSA-2409-1 CVE-2012-0210 CVE-2012-0211 CVE-2012-0212	Version:	7
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	devscripts
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.69+squeeze2

Definition Id: oval:org.mitre.oval:def:15127

Oval ID:	oval:org.mitre.oval:def:15127
Title:	USN-1366-1 -- devscripts vulnerabilities
Description:	devscripts: scripts to make the life of a Debian Package maintainer easier debdiff, a part of devscripts, could be made to run programs as your login if it opened a specially crafted file.
Family:	unix	Class:	patch
Reference(s):	USN-1366-1 CVE-2012-0210 CVE-2012-0211 CVE-2012-0212	Version:	7
Platform(s):	Ubuntu 11.04 Ubuntu 11.10 Ubuntu 8.04 Ubuntu 10.04 Ubuntu 10.10	Product(s):	devscripts
Definition Synopsis:
Release section Ubuntu 11.04 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.69ubuntu2.1 OR Release section Ubuntu 11.10 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.11.1ubuntu3.1 OR Release section Ubuntu 8.04 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.11ubuntu5.8.04.5 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.61ubuntu5.1 OR Release section Ubuntu 10.10 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.67ubuntu1.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Devscripts Devel Team Devscripts cpe:2.3:a:devscripts_devel_team:devscripts:2.11.3:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.2:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.0:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.9:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.8:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.7:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.68:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.67:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.66:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.65.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.64:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.63:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.62:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.61:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.60:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.6:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.59:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.58:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.57:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.56:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.55:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.54:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.53:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.52:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.51:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.50:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.49:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.48:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.47:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.46:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.45:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.44:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.43:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.42:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.41:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.40:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.39:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.38:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.36:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.35:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.34:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.33:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.32:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.31:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.30:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.3:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.29:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.28:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.27:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.26:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.25:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.24:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.23:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.22:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.21:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.20:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.19:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.18.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.18:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.17:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.16:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.15:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.14:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.13:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.12:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.11:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.10:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.0:::::::*	70

OpenVAS Exploits

Date	Description
2012-10-03	Name : Ubuntu Update for devscripts USN-1593-1 File : nvt/gb_ubuntu_USN_1593_1.nasl
2012-09-19	Name : Debian Security Advisory DSA 2549-1 (devscripts) File : nvt/deb_2549_1.nasl
2012-03-12	Name : Debian Security Advisory DSA 2409-1 (devscripts) File : nvt/deb_2409_1.nasl
2012-02-21	Name : Ubuntu Update for devscripts USN-1366-1 File : nvt/gb_ubuntu_USN_1366_1.nasl

Nessus® Vulnerability Scanner

Date	Description
2012-10-03	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1593-1.nasl - Type : ACT_GATHER_INFO
2012-09-17	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2549.nasl - Type : ACT_GATHER_INFO
2012-02-16	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2409.nasl - Type : ACT_GATHER_INFO
2012-02-16	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1366-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:30:49	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	3
Oval ID(s)	2
CPE ID(s)	70
Openvas Exploit(s)	4
Nessus® Exploit(s)	4

	Related
9.3	CVE-2012-0212
9.3	CVE-2012-0211
9.3	CVE-2012-0210
7.5	DSA-2549
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 4 more Alert(s)

9.3 - DSA-2409

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU