CVE-2025-8454

NameCVE-2025-8454
DescriptionIt was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109251

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
devscripts (PTS)bullseye2.21.3+deb11u1vulnerable
bookworm2.23.4+deb12u2vulnerable
trixie2.25.15+deb13u1vulnerable
forky, sid2.25.19vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
devscriptssource(unstable)(unfixed)1109251

Notes

[trixie] - devscripts <no-dsa> (Can be fixed via a point release)
[bookworm] - devscripts <no-dsa> (Can be fixed via a point release)
[bullseye] - devscripts <postponed> (Minor issue)

Search for package or bug name: Reporting problems