Package: src:sugar-physics-activity
Version: 7+dfsg-1.3
Severity: critical
UPSTREAM_VERSION ?=$(shell uscan --dehs | sed -n 's/.*<upstream-
version>\(.*\)<\/upstream-version>.*/\1/p')
[...]
clean::
[...]
rm -rf Physics-${UPSTREAM_VERSION}
So, it uses network (the build without network doesn't fail though), it
downloads an unnecessary file, it looks for a latest version instead of the
package version and it puts untrusted network input right into an rm command.
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'),
(101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
