Debian Devscripts Uscan OpenPGP Verification Skipping Vulnerability

A vulnerability in the 'uscan' tool, part of the 'devscripts' package, has been identified. This tool is used by Debian package maintainers to check for new software releases. The issue arises because 'uscan' skips OpenPGP signature verification if the upstream source has already been downloaded in a previous run, even if the verification had failed. This flaw is present in 'devscripts' version 2.25.15.

Impact

The vulnerability can lead to the acceptance of improperly verified files, allowing for potential issues in package integrity and security.

Reproduction

To reproduce this vulnerability, use 'uscan' with the '--download-current-version' option. If the OpenPGP verification fails, 'uscan' will retain the downloaded file. In the subsequent run, 'uscan' will skip the verification for that file, incorrectly assuming it is valid. This can be confirmed by the warning message about skipping the OpenPGP check, followed by a successful repacking of the file into the expected '.orig.tar.xz' format.

Remediation

Users can manually verify OpenPGP signatures before using the files in a package build. Additionally, a patch is available that modifies the 'uscan' behavior to properly handle OpenPGP verification. This patch can be applied to the 'devscripts' package.