The get_main_source_dir function in scripts/uscan.pl in devscripts before 2.13.8, when using USCAN_EXCLUSION, allows remote attackers to execute arbitrary commands via shell metacharacters in a directory name.
anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git%3Ba=commitdiff%3Bh=91f05b5
bugs.debian.org/cgi-bin/bugreport.cgi?bug=731849
osvdb.org/100855
seclists.org/oss-sec/2013/q4/470
seclists.org/oss-sec/2013/q4/486
www.securityfocus.com/bid/64241
bugzilla.redhat.com/show_bug.cgi?id=1040266
exchange.xforce.ibmcloud.com/vulnerabilities/89666