Another nice find Bernd, but package names are restricted to include only: lower case letters (a-z), digits (0-9), plus (+) and minus (-) signs, and periods (.). They must be at least two characters long and must start with an alphanumeric character.
https://www.debian.org/doc/debian-policy/ch- controlfields.html#s-f-Source Therefore I'm thinking this is a simple programming mistake and not a security bug. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1529857 Title: Possible Shell Code injection when cleaning packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1529857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs