[Debconf-devel] [security] debconf: format module eval injection via debconf database configuration
Salvatore Bonaccorso
carnil at debian.org
Sat May 9 18:11:04 BST 2026
Hi Jeremy,
On Thu, May 07, 2026 at 11:28:03PM +0000, Jeremy Erazo wrote:
> Hello Debian Security Team,
>
> I'd like to report an input-validation issue in debconf 1.5.92
> (the current version in sid as of 2026-05-07) that I have
> runtime-confirmed in a fresh `debian:sid` container.
>
> I am sending privately first per Debian's security policy; if you
> determine that no embargo is needed, I'm happy to refile the
> hardening fix as a normal BTS bug. I am not requesting a CVE
> directly in this initial report; I will leave CVE handling to the
> Debian security process.
debconf-devel is not a private list so this is by now ayway already
public via
https://alioth-lists.debian.net/pipermail/debconf-devel/2026-May/005526.html
.
Please fill a bug directly agains the package now so that the
maintainers can have a closer look and tracking the bugfix progress as
needed.
Regards,
Salvatore
More information about the Debconf-devel
mailing list