Hi,
On Mon, 2014-04-28 at 22:35:57 +0200, Javier Serrano Polo wrote:
> Package: dpkg
> Version: 1.15.9
> Tags: security squeeze
> As far as I see, escaping file names was added to diffutils in 2012. The
> feature is not present in a squeeze environment. CVE-2014-0471 does not
> apply.
>
> Directory traversal during unpack is possible now. I will wait one day
> before releasing an exploit package.
Oh, woah, right now I'm either guessing I mixed up my chroots when
initially checking the submitted test package, or had the files in /tmp
from a previous extraction, otherwise I cannot explain this blunder. :/
I've reproduced this now locally on a squeeze chroot with a test package.
In any case, squeeze could be affected by a partial upgrade of patch, so
the options I see are:
1. Simply revert the patch, and ignore issues w/ partial upgrades (at
least for now?).
2. Revert the patch and add versioned depdendencies against the working
patch package. This might require some dist-upgrade tests, though.
3. Fix the patch to take into account the old behaviour, by checking
if either of the filenames (escaped and unescaped) are unsafe.
I guess the last one is the “safest option”. In any case I'd like
input from the security team (CCed just to make sure you get this),
and I'm very sorry guys about this. :(
I think I could have either option 1 or 3 ready for later today,
option 2 would require more consideration and testing.
Thanks,
Guillem
--
To UNSUBSCRIBE, email to debian-dpkg-bugs-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
