#861958 is now known as CVE-2017-8829 per following mail from cve-requ...@mitre.org.
-------- Forwarded Message -------- Subject: Re: [scr330159] lintian - 2.5.41, not fixed yet Date: Sun, 7 May 2017 23:06:53 -0400 From: cve-requ...@mitre.org To: ni...@thykier.net CC: cve-requ...@mitre.org > [Suggested description] > Deserialization vulnerability in lintian through 2.5.50.3 > allows attackers to trigger code execution by requesting a review of > a source package with a crafted YAML file. > > ------------------------------------------ > > [Additional Information] > The issue is already public. It affects Debian unstable (development), > testing (development) and stable-backports plus Ubuntu xenial, > yakkety, zesty, artful (development). Other Debian-based distros may > be affected as well. This product is maintained at > https://anonscm.debian.org/cgit/lintian/lintian.git > > ------------------------------------------ > > [VulnerabilityType Other] > Code execution via YAML deserialization > > ------------------------------------------ > > [Vendor of Product] > Debian, Ubuntu > > ------------------------------------------ > > [Affected Product Code Base] > lintian - 2.5.41, not fixed yet > > ------------------------------------------ > > [Attack Type Other] > Needs to make victim run lintian on source package with crafted YAML file > > ------------------------------------------ > > [Impact Code execution] > true > > ------------------------------------------ > > [Attack Vectors] > Needs to make victim run lintian on source package with crafted YAML file > > ------------------------------------------ > > [Reference] > https://bugs.debian.org/861958 > > ------------------------------------------ > > [Has vendor confirmed or acknowledged the vulnerability?] > true > > ------------------------------------------ > > [Discoverer] > Jakub Wilk (Debian) Use CVE-2017-8829.
