Package: release.debian.org Severity: normal Tags: trixie security X-Debbugs-Cc: [email protected] Control: affects -1 + src:dpkg User: [email protected] Usertags: pu
Hi!
[ Reason ]
This update includes a CVE fix for a DoS and various fixes for crashes,
unhelpful error handling, and a fix for insufficient dependency
generation (on at least i386).
For the CVE the Security Team didn't deem this important enough, and
considered that it would be better to handle via a stable update.
[ Impact ]
Crashes, hangs, dependency issues, or very confusing error output.
[ Tests ]
I've been testing the CVE fix for some time now locally over daily
upgrade with the version in unstable, for trixie it no longer makes
dpkg-deb busy-loop with the two test .deb archives that are included
in the bug report.
For the rest, the code has been in unstable and forky for some time
now, and I re-tested against trixie:
- the «dpkg-query -S ""» to no longer segfault,
- the verify fix with no keyring with «dpkg-source -x *.dsc» while
forcing removal of sqv, and installing either sqop or gpgv,
- the test above with dpkg-source and gpgv would not fail due to the
missing import,
I did not have time to re-test the "Version References" symbols fix,
but will try to do that tomorrow.
Also, all usual unit and functional tests done as part of the automated
release process (driven by build-aux/gen-release), passed.
[ Risks ]
The changes in general are not big, and/or they have seen extensive
test coverage in unstable/forky. There were only a couple of code
adaptations required during the cherry-picks that were not involved
at all.
[ Checklist ]
[√] *all* changes are documented in the d/changelog
[√] I reviewed all changes and I approve them
[√] attach debdiff against the package in (old)stable
[√] the issue is verified as fixed in unstable
[ Changes ]
The detailed explanation of all the changes is included in the ChangeLog
in the debdiff, perhaps except for the segfault fix, which was due to
not accessing the varbuf via varbuf_str(), otherwise the other code
filling up the varbuf does not end up nul-terminating it.
[ Other info ]
As usual, I've included the full debdiff, and the following can be
used to filter all autogenerated stuff from it:
,---
xzcat dpkg-1.22.21-1.22.22.debdiff.xz \
| filterdiff -x '*.po' -x '*.pot' -x '*.in' -x '*/man/*/*.pod' \
-x '*/configure' -x '*/build-aux/*' -x '*/src/at/*' \
| less
`---
Thanks,
Guillem
dpkg-1.22.21-1.22.22.debdiff.xz
Description: application/xz
