Your message dated Sun, 15 Jun 2014 21:33:14 +0000 with message-id <[email protected]> and subject line Bug#749183: fixed in dpkg 1.16.15 has caused the Debian Bug report #749183, regarding dpkg-source: Directory traversal on unpack through Index: pseudo-header to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 749183: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dpkg-dev Version: 1.3.0 Seveity: important Tags: security Hi! The Dpkg::Source::Patch module does not properly parse and validate patches, and lets doctored patches through that: * use an «Index:» pseudo-header with a pathname that does a directory traversal, and * have either - no «--- » and «+++ » header lines, or - have only a «+++ » with an empty pathname. For example: ,--- exploit.patch --- Index: index/symlink/index-file @@ -0,0 +1,1 @@ +Escaped `--- or ,--- exploit.patch --- Index: index/symlink/index-file +++ @@ -0,0 +1,1 @@ +Escaped `--- where «symlink» is a symbolic link in the source root directory allowing the directory traversal. The semantics on when to use which pathname here [G] are slightly different than what GNU patch does on POSIX mode [P], because we explicitly disable POSIX mode on invocation. [G] Please refer to GNU patch 2.7.1 src/pch.c intuit_diff_type(). [P] <http://pubs.opengroup.org/onlinepubs/9699919799/utilities/patch.html> This should mainly affect unpacking source packages from untrusted origins, so should not affect packages coming from the Debian archive for example. The version is the one when dpkg-source was introduced. The one introducing the currently used patch parsing code was 1.13.9. This is filed publicly now to ease the process of getting a CVE id, patches for this and the other security issue have been created and are pending for upload, once the id has been assigned. Thanks, Guillem
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.16.15 We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <[email protected]> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 05 Jun 2014 22:24:36 +0200 Source: dpkg Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect Architecture: source amd64 all Version: 1.16.15 Distribution: wheezy-security Urgency: high Maintainer: Dpkg Developers <[email protected]> Changed-By: Guillem Jover <[email protected]> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end libdpkg-dev - Debian package management static library libdpkg-perl - Dpkg perl modules Closes: 746498 749183 Changes: dpkg (1.16.15) wheezy-security; urgency=high . [ Guillem Jover ] * Test suite: - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127. - Add test case for patch disabling hunks; not security sensitive. * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory traversal attempts from hostile source packages when unpacking them. Reported by Javier Serrano Polo <[email protected]> as an unspecified directory traversal; meanwhile also independently found by me both #749183 and what was supposed to be #746498, which was later on published and ended up being just a subset of the other non-reported issue. Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183 . [ Updated programs translations ] * Merge translated strings from master. . [ Updated scripts translations ] * German (Helge Kreutzmann). . [ Updated man page translations ] * Merge translated strings from master. * Unfuzzy or update trivial translations (Guillem Jover). Checksums-Sha1: be105c05324861a6864c782031ee04a9e52f1ca5 2016 dpkg_1.16.15.dsc c034f88c1ea9d8df7c5a84cc04bb7749e2b3617a 3800328 dpkg_1.16.15.tar.xz 7dfd3227baecfe2ad664d50d6a55ba4f9cf83b02 696352 libdpkg-dev_1.16.15_amd64.deb 7d947c681e58819378f602b285bb4fbc5ecce669 2656714 dpkg_1.16.15_amd64.deb 52e908a53fda707b37479dbb5268dd878a8ef412 1159292 dselect_1.16.15_amd64.deb 113be782cd7f9c6b9e3b55c55ecf50be1ca0d95e 1355958 dpkg-dev_1.16.15_all.deb 47c95b017e2d3f914921bbf721e264312d815f0b 957964 libdpkg-perl_1.16.15_all.deb Checksums-Sha256: 00f01b04878d80d40e8d9420e5d35200101c5201f4fad36d4197a50a1d4c465d 2016 dpkg_1.16.15.dsc 92bca9901ba2d9300be42f6de8dbea59b8367a918a2abeeb47d2176c9cf86b55 3800328 dpkg_1.16.15.tar.xz cf9fd73f4c8f54451ed9f2418737e232c0c9dc8907867af22c96ba649e60d248 696352 libdpkg-dev_1.16.15_amd64.deb 47831eef504efd77a3998a5fecea04c278ba4d5512405e9da42008f38d726413 2656714 dpkg_1.16.15_amd64.deb 4370e54fd4743969ffb86b53905ed7b96f8735eb0e9367a25eab98223306be88 1159292 dselect_1.16.15_amd64.deb ac4b9142ba4653faed8b902a39115a97ecc40ded51e67d01634f19389a39ba17 1355958 dpkg-dev_1.16.15_all.deb 18a40e9f826f7ada39a03356924b86f14cc342e2ee0209459e394c89095b8073 957964 libdpkg-perl_1.16.15_all.deb Files: 3e0e5af42ed579f3bf721ea1a7020033 2016 admin required dpkg_1.16.15.dsc 0e7d105a57839cdab2b0bf5e3612442f 3800328 admin required dpkg_1.16.15.tar.xz 8db3cf1534386da5215c1916ba1fa38a 696352 libdevel optional libdpkg-dev_1.16.15_amd64.deb 11948b8a099f6e51b8deea79f4b92916 2656714 admin required dpkg_1.16.15_amd64.deb 7f4a898524458a347e24297b50639b7f 1159292 admin optional dselect_1.16.15_amd64.deb 4ad8e09db95f05eaa558ee621954be53 1355958 utils optional dpkg-dev_1.16.15_all.deb b098ae11ce598105b700dbba5613f781 957964 perl optional libdpkg-perl_1.16.15_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJTkN8dAAoJELlyvz6krlejp14P/iqmUqt7Kk2B4AxPaOEONHkY Pe9lT/72tUfvWq1q3Xws2RH7kyf9EgbXPtzljkD+mwEq3pVstSfhgzbmgbafRpti kxDRrgRx2szQDW5YwKQtoDjpcnoaNg+2XXTFW/bZ2BQ1tWkIEyTacdhKhECenU2G xw9/jQAvLClex9G1AE09LtyBR50IJVL2yPgCSUUu6stzVMcJPt8Zr9wGXDlc0Bq8 CwNA6wjNQOZQNsAFKAwIgRNKRDjGbCaqGJkTIJzw5kzoHMoR4SBKclHfVbC24nBg VYEEdkj1E4/kYuNcYrCW3iJP5PuQKTfsu21IowORf1htN4T+07mPBZ/Gy90j0OfS 6oGMPfzzrntEBjSKuz4n50f8pwUHMYNxzTyVSb/XaBWPMeasrZs85sc8si11VvMa LnxAyV9pCXXhKW9zqoojtsOLcz6cm/ypk1Pua9UaEsy+317Cv76fhqWJFpvzHFRV 52UtjxNRwojFtPUnloJ4HXIVe227hZ8JhRWxL8ottOpVYlphCHAzv7n8hIFMv/c8 ZVvZitX2dQBMrFBoMNbFI5YTjIQ7rACSjpZsHQdY4A9BDjsrNZBNW4bD9e1O20wi vHM6wXi6ujzBjQ/POAYu1fdBb514R4ihFrG2iUvPF6EKaJAEJAgU+rY9PuiiA2Vw wK84p9QsUKk8IOMJo7Vq =HssJ -----END PGP SIGNATURE-----
--- End Message ---
