Description
Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine accepted arbitrary fully user-controlled paths. The mergeuploads task could be abused to create arbitrary symbolic links on a worker, overwriting any file that the worker user has access to.
Published: 2026-06-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Debian:Debusine is an integrated build and distribution system for Debian-based projects. Its parser for the Debian source package manifest files, .dsc and .changes, accepts fully user‑controlled paths, a flaw classified as CWE‑59. An attacker can craft a malicious package manifest that contains arbitrary pathnames. When the mergeuploads task processes such a file, it will create symbolic links on the worker node, overwriting any file that the worker process can access. This effectively allows a local uploader to overwrite critical files and potentially achieve local privilege escalation or the injection of malicious binaries into the resulting package.

Affected Systems

The vulnerability affects all current releases of Debian:Debusine that use the described parser, as the issue originates from unconstrained handling of .dsc and .changes file paths. No specific version range is listed, so any instance of Debian:Debusine that accepts and processes these manifest files without additional sanitization is affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% shows a low probability of exploitation in the wild. The flaw is not listed in CISA KEV, and no public exploit is available. Attackers must be able to upload a crafted package file, so the attack vector is local to the build environment—this inference is based on the requirement for local upload access. The risk is that a malicious package uploader could overwrite files owned by the worker, potentially enabling privilege escalation or code execution. Organizations that rely on Debian:Debusine for their distribution pipeline should evaluate the risk and deploy a patch or mitigations promptly.

Generated by OpenCVE AI on June 11, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict worker processes to the minimum privileges necessary; disable symbolic link creation on the worker filesystem if possible.
  • Implement strict validation of .dsc and .changes uploads to reject paths containing directory traversal or absolute components; consider manual review until the vulnerability is fixed.
  • Use build isolation techniques such as chroot or containerization to limit the impact of a compromised worker.

Generated by OpenCVE AI on June 11, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Controlled Path Traversal Allowing Symbolic Link Creation in Debusine Package Parser

Wed, 10 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Debusine Arbitrary Symbolic Link Creation Allows File Overwrite
Weaknesses CWE-22

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debusine
Vendors & Products Debian
Debian debusine

Wed, 10 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title Debusine Arbitrary Symbolic Link Creation Allows File Overwrite
Weaknesses CWE-22

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine accepted arbitrary fully user-controlled paths. The mergeuploads task could be abused to create arbitrary symbolic links on a worker, overwriting any file that the worker user has access to.
References

Subscriptions

Debian Debusine
cve-icon MITRE

Status: PUBLISHED

Assigner: debian

Published:

Updated: 2026-06-10T18:50:09.394Z

Reserved: 2026-06-10T08:25:48.992Z

Link: CVE-2026-11853

cve-icon Vulnrichment

Updated: 2026-06-10T18:49:22.316Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T10:16:31.467

Modified: 2026-06-10T20:11:16.543

Link: CVE-2026-11853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T00:15:27Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')