Launchpad.net

CVE 2013-7085

Uscan in devscripts 2.13.5, when USCAN_EXCLUSION is enabled, allows remote attackers to delete arbitrary files via a whitespace character in a filename.

See the CVE page on Mitre.org for more details.