CRITICAL🇵🇱 Wersja polska

CVE-2025-8454

CVSS 9.8v3.1pub. 2025-08-01upd. 2025-08-06

It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.

🤖 AI Analysis
How it works

Uscan downloads upstream software sources and verifies their OpenPGP signatures to confirm authenticity. When a source has already been downloaded during a previous tool run, signature verification is skipped — regardless of whether the previous verification succeeded. This means that the locally stored file could be counterfeit or modified, and the tool will accept it without further checking. The bug is classified as CWE-347 (Improper Verification of Cryptographic Signature).

Impact

An attacker who can place a modified source file in the download location can cause a Debian package maintainer to unknowingly use forged source code — potentially leading to package takeover, introduction of malicious code into the distribution, or compromise of the software build environment.

Mitigation & patch

Patches available from the vendor should be applied according to the references (https://bugs.debian.org/1109251). Until updates are available, it is recommended to manually remove locally downloaded source files before each uscan run to force re-download and signature verification.

Who is affected

Debian Devscripts — versions indicated in vendor references (uscan package); affects Debian package maintainers using the uscan tool

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian Devscripts

    APP
    Debian
    2.25.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2018-13043CRITICAL9.8ten sam produkt

scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows code execution through unsafe YAML loading ...

CVE-2013-7325HIGH8.8ten sam produkt

An issue exists in uscan in devscripts before 2.13.19, which could let a remote malicious user execute arbitra...

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam vendor

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam vendor

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)