Executive Summary
Summary | |
---|---|
Title | devscripts security update |
Informations | |||
---|---|---|---|
Name | DSA-2409 | First vendor Publication | 2012-02-15 |
Vendor | Debian | Last vendor Modification | 2012-02-15 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in debdiff, a script used to compare two Debian packages, which is part of the devscripts package. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2012-0210: Paul Wise discovered that due to insufficient input sanitising when processing .dsc and .changes files, it is possible to execute arbitrary code and disclose system information. CVE-2012-0211: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when processing source packages with specially-named tarballs in the top-level directory of the .orig tarball, allowing arbitrary code execution. CVE-2012-0212: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when passing as argument to debdiff a specially-named file, allowing arbitrary code execution. For the stable distribution (squeeze), these problems have been fixed in version 2.10.69+squeeze2. For the testing distribution (wheezy), these problems will be fixed soon. For the unstable distribution (sid), these problems will be fixed in version 2.11.4. We recommend that you upgrade your devscripts packages. |
Original Source
Url : http://www.debian.org/security/2012/dsa-2409 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:14780 | |||
Oval ID: | oval:org.mitre.oval:def:14780 | ||
Title: | DSA-2409-1 devscripts -- several | ||
Description: | Several vulnerabilities have been discovered in debdiff, a script used to compare two Debian packages, which is part of the devscripts package. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2012-0210: Paul Wise discovered that due to insufficient input sanitising when processing .dsc and .changes files, it is possible to execute arbitrary code and disclose system information. CVE-2012-0211: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when processing source packages with specially-named tarballs in the top-level directory of the .orig tarball, allowing arbitrary code execution. CVE-2012-0212: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when passing as argument to debdiff a specially-named file, allowing arbitrary code execution. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2409-1 CVE-2012-0210 CVE-2012-0211 CVE-2012-0212 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | devscripts |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:15127 | |||
Oval ID: | oval:org.mitre.oval:def:15127 | ||
Title: | USN-1366-1 -- devscripts vulnerabilities | ||
Description: | devscripts: scripts to make the life of a Debian Package maintainer easier debdiff, a part of devscripts, could be made to run programs as your login if it opened a specially crafted file. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1366-1 CVE-2012-0210 CVE-2012-0211 CVE-2012-0212 | Version: | 7 |
Platform(s): | Ubuntu 11.04 Ubuntu 11.10 Ubuntu 8.04 Ubuntu 10.04 Ubuntu 10.10 | Product(s): | devscripts |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-10-03 | Name : Ubuntu Update for devscripts USN-1593-1 File : nvt/gb_ubuntu_USN_1593_1.nasl |
2012-09-19 | Name : Debian Security Advisory DSA 2549-1 (devscripts) File : nvt/deb_2549_1.nasl |
2012-03-12 | Name : Debian Security Advisory DSA 2409-1 (devscripts) File : nvt/deb_2409_1.nasl |
2012-02-21 | Name : Ubuntu Update for devscripts USN-1366-1 File : nvt/gb_ubuntu_USN_1366_1.nasl |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-10-03 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1593-1.nasl - Type : ACT_GATHER_INFO |
2012-09-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2549.nasl - Type : ACT_GATHER_INFO |
2012-02-16 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2409.nasl - Type : ACT_GATHER_INFO |
2012-02-16 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1366-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:30:49 |
|