Fwd: Re: [scr330159] lintian - 2.5.41, not fixed yet
#861958 is now known as CVE-2017-8829 per following mail from
cve-request@mitre.org.
-------- Forwarded Message --------
Subject: Re: [scr330159] lintian - 2.5.41, not fixed yet
Date: Sun, 7 May 2017 23:06:53 -0400
From: cve-request@mitre.org
To: niels@thykier.net
CC: cve-request@mitre.org
> [Suggested description]
> Deserialization vulnerability in lintian through 2.5.50.3
> allows attackers to trigger code execution by requesting a review of
> a source package with a crafted YAML file.
>
> ------------------------------------------
>
> [Additional Information]
> The issue is already public. It affects Debian unstable (development),
> testing (development) and stable-backports plus Ubuntu xenial,
> yakkety, zesty, artful (development). Other Debian-based distros may
> be affected as well. This product is maintained at
> https://anonscm.debian.org/cgit/lintian/lintian.git
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Code execution via YAML deserialization
>
> ------------------------------------------
>
> [Vendor of Product]
> Debian, Ubuntu
>
> ------------------------------------------
>
> [Affected Product Code Base]
> lintian - 2.5.41, not fixed yet
>
> ------------------------------------------
>
> [Attack Type Other]
> Needs to make victim run lintian on source package with crafted YAML file
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Needs to make victim run lintian on source package with crafted YAML file
>
> ------------------------------------------
>
> [Reference]
> https://bugs.debian.org/861958
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Jakub Wilk (Debian)
Use CVE-2017-8829.
Reply to: