Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : devscripts vulnerabilities (USN-1593-1)

Ubuntu Security Notice (C) 2012-2014 Canonical, Inc. / NASL script (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Raphael Geissert discovered that the debdiff.pl tool incorrectly
handled shell metacharacters. If a user or automated system were
tricked into processing a specially crafted filename, a remote
attacker could possibly execute arbitrary code. (CVE-2012-0212)

Raphael Geissert discovered that the dscverify tool incorrectly
escaped arguments to external commands. If a user or automated system
were tricked into processing specially crafted files, a remote
attacker could possibly execute arbitrary code. (CVE-2012-2240)

Raphael Geissert discovered that the dget tool incorrectly performed
input validation. If a user or automated system were tricked into
processing specially crafted files, a remote attacker could delete
arbitrary files. (CVE-2012-2241)

Raphael Geissert discovered that the dget tool incorrectly escaped
arguments to external commands. If a user or automated system were
tricked into processing specially crafted files, a remote attacker
could possibly execute arbitrary code. This issue only affected Ubuntu
10.04 LTS and Ubuntu 11.04. (CVE-2012-2242)

Jim Meyering discovered that the annotate-output tool incorrectly
handled temporary files. A local attacker could use this flaw to alter
files being processed by the annotate-output tool. On Ubuntu 11.04 and
later, this issue was mitigated by the Yama kernel symlink
restrictions. (CVE-2012-3500).

Solution :

Update the affected devscripts package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 62411 ()

Bugtraq ID: 52029
55358
55564

CVE ID: CVE-2012-0212
CVE-2012-2240
CVE-2012-2241
CVE-2012-2242
CVE-2012-3500