CVE-2012-1095

Published: 6 February 2014

osc before 0.134 might allow remote OBS repository servers or package maintainers to execute arbitrary commands via a crafted (1) build log or (2) build status that contains an escape sequence for a terminal emulator.

Priority

Status

Package	Release	Status
osc Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Ignored (end of life)
	maverick	Ignored (end of life)
	natty	Ignored (end of life)
	oneiric	Ignored (end of life)
	precise	Released (0.132.6-1ubuntu0.1)
	quantal	Not vulnerable (0.134.1-2)
	raring	Not vulnerable (0.134.1-2)
	upstream	Released (0.134.0)
	Patches: upstream: https://github.com/openSUSE/osc/commit/effe3835ba65745f51dbb579af4ea3556d2ab597.patch

References

https://www.cve.org/CVERecord?id=CVE-2012-1095
NVD
Launchpad
Debian

Bugs

https://bugzilla.novell.com/show_bug.cgi?id=749335
https://bugzilla.redhat.com/show_bug.cgi?id=798353
https://bugs.launchpad.net/ubuntu/+source/osc/+bug/1197639

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›