It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
Uscan downloads upstream software sources and verifies their OpenPGP signatures to confirm authenticity. When a source has already been downloaded during a previous tool run, signature verification is skipped — regardless of whether the previous verification succeeded. This means that the locally stored file could be counterfeit or modified, and the tool will accept it without further checking. The bug is classified as CWE-347 (Improper Verification of Cryptographic Signature).
An attacker who can place a modified source file in the download location can cause a Debian package maintainer to unknowingly use forged source code — potentially leading to package takeover, introduction of malicious code into the distribution, or compromise of the software build environment.
Patches available from the vendor should be applied according to the references (https://bugs.debian.org/1109251). Until updates are available, it is recommended to manually remove locally downloaded source files before each uscan run to force re-download and signature verification.
Debian Devscripts — versions indicated in vendor references (uscan package); affects Debian package maintainers using the uscan tool
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDebian Devscripts
APPDebian2.25.15
Related vulnerabilities
scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows code execution through unsafe YAML loading ...
An issue exists in uscan in devscripts before 2.13.19, which could let a remote malicious user execute arbitra...
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)