Your message dated Sun, 15 Jun 2014 21:33:14 +0000
with message-id <[email protected]>
and subject line Bug#746498: fixed in dpkg 1.16.15
has caused the Debian Bug report #746498,
regarding dpkg-source: Directory traversal on unpack through missing --- header
line
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
746498: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.15.8.13 1.16.12
Tags: security
Directory traversal was already possible. I have suggested a solution.
That is the way I fixed it: dry run, let the patch tool say what files
will be touched. Another solution would be to stop using an external
tool.
I will wait two days before releasing one of the exploit packages.
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.16.15
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 05 Jun 2014 22:24:36 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.15
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 746498 749183
Changes:
dpkg (1.16.15) wheezy-security; urgency=high
.
[ Guillem Jover ]
* Test suite:
- Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
- Add test case for patch disabling hunks; not security sensitive.
* Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
traversal attempts from hostile source packages when unpacking them.
Reported by Javier Serrano Polo <[email protected]> as an unspecified
directory traversal; meanwhile also independently found by me both
#749183 and what was supposed to be #746498, which was later on published
and ended up being just a subset of the other non-reported issue.
Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
.
[ Updated programs translations ]
* Merge translated strings from master.
.
[ Updated scripts translations ]
* German (Helge Kreutzmann).
.
[ Updated man page translations ]
* Merge translated strings from master.
* Unfuzzy or update trivial translations (Guillem Jover).
Checksums-Sha1:
be105c05324861a6864c782031ee04a9e52f1ca5 2016 dpkg_1.16.15.dsc
c034f88c1ea9d8df7c5a84cc04bb7749e2b3617a 3800328 dpkg_1.16.15.tar.xz
7dfd3227baecfe2ad664d50d6a55ba4f9cf83b02 696352 libdpkg-dev_1.16.15_amd64.deb
7d947c681e58819378f602b285bb4fbc5ecce669 2656714 dpkg_1.16.15_amd64.deb
52e908a53fda707b37479dbb5268dd878a8ef412 1159292 dselect_1.16.15_amd64.deb
113be782cd7f9c6b9e3b55c55ecf50be1ca0d95e 1355958 dpkg-dev_1.16.15_all.deb
47c95b017e2d3f914921bbf721e264312d815f0b 957964 libdpkg-perl_1.16.15_all.deb
Checksums-Sha256:
00f01b04878d80d40e8d9420e5d35200101c5201f4fad36d4197a50a1d4c465d 2016
dpkg_1.16.15.dsc
92bca9901ba2d9300be42f6de8dbea59b8367a918a2abeeb47d2176c9cf86b55 3800328
dpkg_1.16.15.tar.xz
cf9fd73f4c8f54451ed9f2418737e232c0c9dc8907867af22c96ba649e60d248 696352
libdpkg-dev_1.16.15_amd64.deb
47831eef504efd77a3998a5fecea04c278ba4d5512405e9da42008f38d726413 2656714
dpkg_1.16.15_amd64.deb
4370e54fd4743969ffb86b53905ed7b96f8735eb0e9367a25eab98223306be88 1159292
dselect_1.16.15_amd64.deb
ac4b9142ba4653faed8b902a39115a97ecc40ded51e67d01634f19389a39ba17 1355958
dpkg-dev_1.16.15_all.deb
18a40e9f826f7ada39a03356924b86f14cc342e2ee0209459e394c89095b8073 957964
libdpkg-perl_1.16.15_all.deb
Files:
3e0e5af42ed579f3bf721ea1a7020033 2016 admin required dpkg_1.16.15.dsc
0e7d105a57839cdab2b0bf5e3612442f 3800328 admin required dpkg_1.16.15.tar.xz
8db3cf1534386da5215c1916ba1fa38a 696352 libdevel optional
libdpkg-dev_1.16.15_amd64.deb
11948b8a099f6e51b8deea79f4b92916 2656714 admin required dpkg_1.16.15_amd64.deb
7f4a898524458a347e24297b50639b7f 1159292 admin optional
dselect_1.16.15_amd64.deb
4ad8e09db95f05eaa558ee621954be53 1355958 utils optional
dpkg-dev_1.16.15_all.deb
b098ae11ce598105b700dbba5613f781 957964 perl optional
libdpkg-perl_1.16.15_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJTkN8dAAoJELlyvz6krlejp14P/iqmUqt7Kk2B4AxPaOEONHkY
Pe9lT/72tUfvWq1q3Xws2RH7kyf9EgbXPtzljkD+mwEq3pVstSfhgzbmgbafRpti
kxDRrgRx2szQDW5YwKQtoDjpcnoaNg+2XXTFW/bZ2BQ1tWkIEyTacdhKhECenU2G
xw9/jQAvLClex9G1AE09LtyBR50IJVL2yPgCSUUu6stzVMcJPt8Zr9wGXDlc0Bq8
CwNA6wjNQOZQNsAFKAwIgRNKRDjGbCaqGJkTIJzw5kzoHMoR4SBKclHfVbC24nBg
VYEEdkj1E4/kYuNcYrCW3iJP5PuQKTfsu21IowORf1htN4T+07mPBZ/Gy90j0OfS
6oGMPfzzrntEBjSKuz4n50f8pwUHMYNxzTyVSb/XaBWPMeasrZs85sc8si11VvMa
LnxAyV9pCXXhKW9zqoojtsOLcz6cm/ypk1Pua9UaEsy+317Cv76fhqWJFpvzHFRV
52UtjxNRwojFtPUnloJ4HXIVe227hZ8JhRWxL8ottOpVYlphCHAzv7n8hIFMv/c8
ZVvZitX2dQBMrFBoMNbFI5YTjIQ7rACSjpZsHQdY4A9BDjsrNZBNW4bD9e1O20wi
vHM6wXi6ujzBjQ/POAYu1fdBb514R4ihFrG2iUvPF6EKaJAEJAgU+rY9PuiiA2Vw
wK84p9QsUKk8IOMJo7Vq
=HssJ
-----END PGP SIGNATURE-----
--- End Message ---
