Your message dated Tue, 17 Jun 2014 12:49:29 +0000
with message-id <[email protected]>
and subject line Bug#746498: fixed in dpkg 1.15.11
has caused the Debian Bug report #746498,
regarding dpkg-source: Directory traversal on unpack through missing --- header
line
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
746498: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.15.8.13 1.16.12
Tags: security
Directory traversal was already possible. I have suggested a solution.
That is the way I fixed it: dry run, let the patch tool say what files
will be touched. Another solution would be to stop using an external
tool.
I will wait two days before releasing one of the exploit packages.
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.15.11
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 05 Jun 2014 22:52:45 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.15.11
Distribution: squeeze-security
Urgency: high
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 746498 749183
Changes:
dpkg (1.15.11) squeeze-security; urgency=high
.
[ Guillem Jover ]
* Test suite:
- Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
- Add test case for patch disabling hunks; not security sensitive.
* Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
traversal attempts from hostile source packages when unpacking them.
Reported by Javier Serrano Polo <[email protected]> as an unspecified
directory traversal; meanwhile also independently found by me both
#749183 and what was supposed to be #746498, which was later on published
and ended up being just a subset of the other non-reported issue.
Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
Checksums-Sha1:
4426c4d44a6c6c7c8eb21ad6e149d4b8bc71ec0e 1844 dpkg_1.15.11.dsc
0d562e96d4df9592a8b96bfc76b19be91e88beee 5269052 dpkg_1.15.11.tar.bz2
641c051ee3adebdd4a76222b0a9b0d59fc2d950d 440340 libdpkg-dev_1.15.11_amd64.deb
095bd30806da1bad9e231c3910ac13430e2d7728 2401838 dpkg_1.15.11_amd64.deb
52ea8293218b9a00764a2517eb1d62da1dfccb85 908748 dselect_1.15.11_amd64.deb
1c3b37c6157816a79674fcab8323d929bbeee11d 815412 dpkg-dev_1.15.11_all.deb
71dfa4767c572e62d041c6ab3cf5f0c86571a030 697686 libdpkg-perl_1.15.11_all.deb
Checksums-Sha256:
207f68ed5ef4888e26f1918c84a3400fa32fd09ad098600ff7b4b9e6d8398c63 1844
dpkg_1.15.11.dsc
7db2e5e23147e4159d95345dce420236a4af2c0ecff0a38dadee35160bb6f739 5269052
dpkg_1.15.11.tar.bz2
9b9f1eb8f2536e8be4d4a9157f6262dff4f277285de1c25dc34fa2bc2df4cf72 440340
libdpkg-dev_1.15.11_amd64.deb
b8921f46999dee2a1c48e08daf45d704de9951dff2879afabd458b341c402ed2 2401838
dpkg_1.15.11_amd64.deb
0fd10aee9a03794e82530793b2ba71ff1b634b077d1d2475b259364a5debcb5b 908748
dselect_1.15.11_amd64.deb
e0a6b0b3a506e5c48c7dfa5d439e645ad0416980c3c28f2c70ae4bdd3d8374e6 815412
dpkg-dev_1.15.11_all.deb
afa97dfcddbf8a0856701622159a4711a8d471f9cacd9e0de1ba44b91ef0eba6 697686
libdpkg-perl_1.15.11_all.deb
Files:
ed3eaf21406b5cf68c7e497dad16b8d7 1844 admin required dpkg_1.15.11.dsc
92f54904ddc5b63f01308d181d8fcdf4 5269052 admin required dpkg_1.15.11.tar.bz2
49bd29615ce3eb1cfc9409d601770cad 440340 libdevel optional
libdpkg-dev_1.15.11_amd64.deb
790ecea2ea1793a396df0ad254f00df0 2401838 admin required dpkg_1.15.11_amd64.deb
2548575c77fced8d6ef1dd5f78871a4d 908748 admin optional
dselect_1.15.11_amd64.deb
68c22adf6501b43523510c606a0366f4 815412 utils optional dpkg-dev_1.15.11_all.deb
5569fd703e0c43f304b232108e4de210 697686 perl optional
libdpkg-perl_1.15.11_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJTkN8sAAoJELlyvz6krlejZ0AP/RrUH5XmCbk3LVFpJsR7Gpx3
q6kUkzTisedFG0bgHsGeOxTljSVjgdCVKJ1gD8a+rVKMxNxyPTg6eWxw/Aium6wJ
H8u5qyLC+ZrCiBvKF3Bb0TsaiKCzc3yihd6/Z7mbLaSetC9K2MUnybnm5ESJlnmy
0HzOH3YerDvkMY4RCJyl/Z7j0VR+dX+EnD2cJrg8ivAHxoldaUPHxUaZzGRz33b5
V5J+r+o9OrXr9R7LnKbaMTQqBTj5Y169k4ZBFL00aaUiNZ4Q8HbMYDosPRn+mbdf
lrbzhHgThOlemK8hKV1yR6NexsUxuGiX/fbIRu2MYAfiaXjkmVoOiI6bBlJ3HwH+
GvTTbQnB7Gjhj0Guh50eoxankAZDVaxDY9a8q/jCMqPDRxCj0ZT46cma+27R81Ve
SRR5F79FU7J6h1uKspG8hHtUpep7zcrlxy2cW/TNcuiwfEv/aezW3zGqyMpwHG+X
Go6nDSI6p6L5y9EphSR3aNQDwjAvmBZhJF4Lj1AdSKy7tg/z+9Ahqu0U71cXmnfz
mr+xB7hf0AToNK1EB6ir/vZke/X2WY9/Qgl/gnqXyMkCCgS8MJkIBtaRCdQn34Db
BH3N3chFDejUn532mjrDnQFFXVTtDJ84xJMI+CVFg2YwCKwCHABK9ADz4d6eq0X/
YOQfC0pitPinsMz6Sx+5
=tDcj
-----END PGP SIGNATURE-----
--- End Message ---
