On ven., 2012-12-07 at 22:01 +0100, Joerg Jaspert wrote: > On 13053 March 1977, Arno Töll wrote: > >> Thanks for securing it quickly :) Is there any danger of the vulnerable > >> code being in use on other systems, e.g. as part of a dak install? > > Indeed, thanks for fixing the issue so fast. > > > But full disclosure FTW. Now, that the problem is fixed please share > > some details about the nature of the vulnerability. > > All our commits are open and get to the -dak list too. > The basic summary is "really old code that needs to be replaced, > really". In this case - a possible attack using the help of shell > metacharacters by a specially prepared filename due to not checking if > such characters are in the filename AND using perls open function in the > way it lets shell help it. > > My quick fix only ensured we don't have meta characters, Ansgar invested > some more time and rewrote the code in question much more. And fixed a > number of other issues too. For details there: read the commits. :) >
Is dak is present in a “released” state somewhere? Do other people use those releases? Meaning, should we ask for a CVE for this? Regards, -- Yves-Alexis -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1354954858.12107.8.camel@scapa
