9.3 - USN-1593-1

Executive Summary

Summary
Title	devscripts vulnerabilities

Informations
Name	USN-1593-1	First vendor Publication	2012-10-02
Vendor	Ubuntu	Last vendor Modification	2012-10-02
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in devscripts.

Software Description: - devscripts: scripts to make the life of a Debian Package maintainer easier

Details:

Raphael Geissert discovered that the debdiff.pl tool incorrectly handled shell metacharacters. If a user or automated system were tricked into processing a specially crafted filename, a remote attacher could possibly execute arbitrary code. (CVE-2012-0212)

Raphael Geissert discovered that the dscverify tool incorrectly escaped arguments to external commands. If a user or automated system were tricked into processing specially crafted files, a remote attacher could possibly execute arbitrary code. (CVE-2012-2240)

Raphael Geissert discovered that the dget tool incorrectly performed input validation. If a user or automated system were tricked into processing specially crafted files, a remote attacher could delete arbitrary files. (CVE-2012-2241)

Raphael Geissert discovered that the dget tool incorrectly escaped arguments to external commands. If a user or automated system were tricked into processing specially crafted files, a remote attacher could possibly execute arbitrary code. This issue only affected Ubuntu 10.04 LTS and Ubuntu 11.04. (CVE-2012-2242)

Jim Meyering discovered that the annotate-output tool incorrectly handled temporary files. A local attacker could use this flaw to alter files being processed by the annotate-output tool. On Ubuntu 11.04 and later, this issue was mitigated by the Yama kernel symlink restrictions. (CVE-2012-3500)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 LTS:
devscripts 2.11.6ubuntu1.4

Ubuntu 11.10:
devscripts 2.11.1ubuntu3.2

Ubuntu 11.04:
devscripts 2.10.69ubuntu2.2

Ubuntu 10.04 LTS:
devscripts 2.10.61ubuntu5.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1593-1
CVE-2012-0212, CVE-2012-2240, CVE-2012-2241, CVE-2012-2242,
CVE-2012-3500

Package Information:
https://launchpad.net/ubuntu/+source/devscripts/2.11.6ubuntu1.4
https://launchpad.net/ubuntu/+source/devscripts/2.11.1ubuntu3.2
https://launchpad.net/ubuntu/+source/devscripts/2.10.69ubuntu2.2
https://launchpad.net/ubuntu/+source/devscripts/2.10.61ubuntu5.3

Original Source

Url : http://www.ubuntu.com/usn/USN-1593-1

CWE : Common Weakness Enumeration

%	Id	Name
80 %	CWE-20	Improper Input Validation
20 %	CWE-362	Race Condition

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14780

Oval ID:	oval:org.mitre.oval:def:14780
Title:	DSA-2409-1 devscripts -- several
Description:	Several vulnerabilities have been discovered in debdiff, a script used to compare two Debian packages, which is part of the devscripts package. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them: CVE-2012-0210: Paul Wise discovered that due to insufficient input sanitising when processing .dsc and .changes files, it is possible to execute arbitrary code and disclose system information. CVE-2012-0211: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when processing source packages with specially-named tarballs in the top-level directory of the .orig tarball, allowing arbitrary code execution. CVE-2012-0212: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when passing as argument to debdiff a specially-named file, allowing arbitrary code execution.
Family:	unix	Class:	patch
Reference(s):	DSA-2409-1 CVE-2012-0210 CVE-2012-0211 CVE-2012-0212	Version:	7
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	devscripts
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.69+squeeze2

Definition Id: oval:org.mitre.oval:def:15127

Oval ID:	oval:org.mitre.oval:def:15127
Title:	USN-1366-1 -- devscripts vulnerabilities
Description:	devscripts: scripts to make the life of a Debian Package maintainer easier debdiff, a part of devscripts, could be made to run programs as your login if it opened a specially crafted file.
Family:	unix	Class:	patch
Reference(s):	USN-1366-1 CVE-2012-0210 CVE-2012-0211 CVE-2012-0212	Version:	7
Platform(s):	Ubuntu 11.04 Ubuntu 11.10 Ubuntu 8.04 Ubuntu 10.04 Ubuntu 10.10	Product(s):	devscripts
Definition Synopsis:
Release section Ubuntu 11.04 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.69ubuntu2.1 OR Release section Ubuntu 11.10 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.11.1ubuntu3.1 OR Release section Ubuntu 8.04 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.11ubuntu5.8.04.5 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.61ubuntu5.1 OR Release section Ubuntu 10.10 is installed AND Installed architecture is all AND devscripts DPKG is earlier than 2.10.67ubuntu1.1

Definition Id: oval:org.mitre.oval:def:18171

Oval ID:	oval:org.mitre.oval:def:18171
Title:	USN-1593-1 -- devscripts vulnerabilities
Description:	Several security issues were fixed in devscripts.
Family:	unix	Class:	patch
Reference(s):	USN-1593-1 CVE-2012-0212 CVE-2012-2240 CVE-2012-2241 CVE-2012-2242 CVE-2012-3500	Version:	9
Platform(s):	Ubuntu 12.04 Ubuntu 11.10 Ubuntu 11.04 Ubuntu 10.04	Product(s):	devscripts
Definition Synopsis:
Release section Ubuntu 12.04 is installed AND devscripts DPKG is earlier than 2.11.6ubuntu1.4 AND Release section Ubuntu 11.10 is installed AND devscripts DPKG is earlier than 2.11.1ubuntu3.2 AND Release section Ubuntu 11.04 is installed AND devscripts DPKG is earlier than 2.10.69ubuntu2.2 AND Release section Ubuntu 10.04 is installed AND devscripts DPKG is earlier than 2.10.61ubuntu5.3

Definition Id: oval:org.mitre.oval:def:20054

Oval ID:	oval:org.mitre.oval:def:20054
Title:	DSA-2549-1 devscripts - multiple
Description:	Multiple vulnerabilities have been discovered in devscripts, a set of scripts to make the life of a Debian Package maintainer easier. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them.
Family:	unix	Class:	patch
Reference(s):	DSA-2549-1 CVE-2012-2240 CVE-2012-2241 CVE-2012-2242 CVE-2012-3500	Version:	7
Platform(s):	Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	devscripts
Definition Synopsis:
Debian 6.0 is installed GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND devscripts DPKG is earlier than 0:2.10.69+squeeze4

CPE : Common Platform Enumeration

Type	Description	Count
Application	Devscripts Devel Team Devscripts cpe:2.3:a:devscripts_devel_team:devscripts:2.9.27:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.9.26:etch2:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.9.26:etch5:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.9.26:etch4:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.9.26:etch1:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.9.25:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.9.24:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.9.23:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.9.22:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.9.21:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.8.14:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.7.0:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.12.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.12.0:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.9:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.8:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.7:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.6:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.5:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.4:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.3:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.2:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.11.0:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.9:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.8:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.72:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.71:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.70:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.7:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.69:squeeze2:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.10.69:squeeze1:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.10.69:squeeze3:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.10.69:squeeze4:::::: cpe:2.3:a:devscripts_devel_team:devscripts:2.10.69:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.68:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.67:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.66:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.65.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.64:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.63:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.62:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.61:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.60:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.6:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.59:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.58:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.57:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.56:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.55:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.54:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.53:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.52:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.51:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.50:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.49:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.48:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.47:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.46:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.45:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.44:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.43:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.42:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.41:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.40:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.39:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.38:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.36:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.35:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.34:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.33:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.32:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.31:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.30:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.3:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.29:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.28:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.27:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.26:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.25:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.24:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.23:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.22:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.21:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.20:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.19:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.18.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.18:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.17:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.16:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.15:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.14:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.13:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.12:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.11:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.10:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.1:::::::* cpe:2.3:a:devscripts_devel_team:devscripts:2.10.0:::::::* cpe:2.3:a:devscripts_devel_team:devscripts::::::::	99
Application	Fedora Rpmdevtools cpe:2.3:a:fedora:rpmdevtools:8.2-1:::::::*	1

OpenVAS Exploits

Date	Description
2012-10-03	Name : Ubuntu Update for devscripts USN-1593-1 File : nvt/gb_ubuntu_USN_1593_1.nasl
2012-09-19	Name : Debian Security Advisory DSA 2549-1 (devscripts) File : nvt/deb_2549_1.nasl
2012-09-17	Name : Fedora Update for rpmdevtools FEDORA-2012-13234 File : nvt/gb_fedora_2012_13234_rpmdevtools_fc17.nasl
2012-09-17	Name : Fedora Update for rpmdevtools FEDORA-2012-13263 File : nvt/gb_fedora_2012_13263_rpmdevtools_fc16.nasl
2012-03-12	Name : Debian Security Advisory DSA 2409-1 (devscripts) File : nvt/deb_2409_1.nasl
2012-02-21	Name : Ubuntu Update for devscripts USN-1366-1 File : nvt/gb_ubuntu_USN_1366_1.nasl

Nessus® Vulnerability Scanner

Date	Description
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2012-757.nasl - Type : ACT_GATHER_INFO
2013-04-20	Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2013-123.nasl - Type : ACT_GATHER_INFO
2012-10-03	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1593-1.nasl - Type : ACT_GATHER_INFO
2012-09-18	Name : The remote Fedora host is missing a security update. File : fedora_2012-13208.nasl - Type : ACT_GATHER_INFO
2012-09-17	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2549.nasl - Type : ACT_GATHER_INFO
2012-09-12	Name : The remote Fedora host is missing a security update. File : fedora_2012-13234.nasl - Type : ACT_GATHER_INFO
2012-09-12	Name : The remote Fedora host is missing a security update. File : fedora_2012-13263.nasl - Type : ACT_GATHER_INFO
2012-02-16	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2409.nasl - Type : ACT_GATHER_INFO
2012-02-16	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1366-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:00:50	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	5
Oval ID(s)	4
CPE ID(s)	100
Openvas Exploit(s)	6
Nessus® Exploit(s)	9

	Related
9.3	CVE-2012-0212
7.5	CVE-2012-2240
6.8	CVE-2012-2242
5	CVE-2012-2241
1.2	CVE-2012-3500
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)

9.3 - USN-1593-1

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU