-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 05 Mar 2010 22:25:05 +0100 Source: dpkg Binary: dpkg dpkg-dev dselect Architecture: source i386 all Version: 1.14.29 Distribution: stable-security Urgency: high Maintainer: Dpkg Developers <debian-d...@lists.debian.org> Changed-By: Raphael Hertzog <hert...@debian.org> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end Changes: dpkg (1.14.29) stable-security; urgency=high . * Modify dpkg-source to error out when it would apply patches containing insecure paths (with "/../") and also error out when it would apply a patch through a symlink. Those checks are required as patch will happily modify files outside of the target directory and unpacking a source package should not be able to have any side-effect outside of the target directory. Fixes CVE-2010-0396. * Also error out when the quilt series contains a path with "/../" as this can cause patch to create files outside of the source package due to the -B .pc/$path option that it gets. Checksums-Sha1: e81eb4c798045a11fdee5606388856d1014399e7 1544 dpkg_1.14.29.dsc 15a35dd96dac6a99f24844b2eff85f8fad37ab06 6849885 dpkg_1.14.29.tar.gz 563bbe50a3b9c4de8c959cddfa0a1bf1f501ef78 2354472 dpkg_1.14.29_i386.deb d1f6d7e408248a9ee4ea3a1ddf53f059d8f86aa4 800424 dselect_1.14.29_i386.deb 064cc9ed34ca39521c2498c8f924d5b0aa9fcf82 770984 dpkg-dev_1.14.29_all.deb Checksums-Sha256: b2c1b31bead8baeae149ebc7a88ec7c410e34e46bb9b06fc68625d991c38a2be 1544 dpkg_1.14.29.dsc ea7ec1c861af43ba534a0d7997774a5f1fd4e25a7eea4ff229c9c7bf89aed633 6849885 dpkg_1.14.29.tar.gz 62d109b8f291a2bc57a18dd7f44abd9517f42d46192ba948203d6c6470d642ca 2354472 dpkg_1.14.29_i386.deb 32526cc79a407da24377a020a3721adf5c12879bf0d2c090f231fc814c08d58c 800424 dselect_1.14.29_i386.deb a641ff178bc150712d2d16c1ee158ab1df824f714167f8b71e8671d1f0daf8f3 770984 dpkg-dev_1.14.29_all.deb Files: 7cf187bdb138606465a626f30da65423 1544 admin required dpkg_1.14.29.dsc 4326172a959b5b6484b4bc126e9f628d 6849885 admin required dpkg_1.14.29.tar.gz d81c926899c940f03190ea74bfbecb7f 2354472 admin required dpkg_1.14.29_i386.deb 66ebb60ebc836702afbe8cae59a39f35 800424 admin optional dselect_1.14.29_i386.deb 76f021d6ddbbd0726f123cc993f55b40 770984 utils optional dpkg-dev_1.14.29_all.deb
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Signed by Raphael Hertzog iQEcBAEBCAAGBQJLlV+oAAoJEAOIHavrwpq5hgoH/jlu5tFnaKLF07bNYaNEQmU8 bXvNcSriSbkHjDmYsJMCrIs7ozBpvL+Qr6mVx0ZXY2s0pTt59Phvye6IEnaPy8UB 0R50WrA+5UjVb/iuaESHMN7Fvequ0+qjQW5OUPtWwUbtGNiNbKEUMoZE2quIs4ZR 56OO3ujkahk4ffDdZ/E7qQATjO9xHK++/W23A945rVSXc26I5aCt5wuBsvY8Sngb D0ExvREHrZa3pdEVTEDqvyHHEIus4eMXMcNTNKhJ9gj76Gl7hp6uoQujgu9+fPcx NobV6/uz3hgE9ZKsttOhmJZ8O/11fRznQ+InCjAK7/Fqr7aWd2kqC9mpAW+XfP4= =x5vh -----END PGP SIGNATURE----- Accepted: dpkg-dev_1.14.29_all.deb to main/d/dpkg/dpkg-dev_1.14.29_all.deb dpkg_1.14.29.dsc to main/d/dpkg/dpkg_1.14.29.dsc dpkg_1.14.29.tar.gz to main/d/dpkg/dpkg_1.14.29.tar.gz dpkg_1.14.29_i386.deb to main/d/dpkg/dpkg_1.14.29_i386.deb dselect_1.14.29_i386.deb to main/d/dpkg/dselect_1.14.29_i386.deb -- To UNSUBSCRIBE, email to debian-changes-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1npdch-00006k...@ries.debian.org