Package: devscripts
Version: 2.14.1
Tags: security
A malicious .orig.tar file can trick uupdate into patching files outside
the source package directory. Proof of concept:
$ apt-get source -qq chewmail
gpgv: Signature made Tue Aug 15 08:10:17 2006 CEST using DSA key ID 16D970C6
gpgv: Can't che
On Thu, Jan 30, 2014 at 09:06:38PM +0100, Jakub Wilk wrote:
> A malicious .orig.tar file can trick uupdate into patching files
> outside the source package directory. Proof of concept:
Thanks for the report and PoC.
Looking into it some, below is my understanding of the issue and
concerns on fixi
* James McCoy , 2014-02-21, 22:53:
A malicious .orig.tar file can trick uupdate into patching files
outside the source package directory. Proof of concept:
Thanks for the report and PoC.
Looking into it some, below is my understanding of the issue and
concerns on fixing it.
First, this is o
* Jakub Wilk , 2014-02-23, 12:11:
Perhaps a more viable way would be to construct a temporary new source
package, and let dpkg-source deal with all the corner cases of
unpacking it?
Now I realized that this won't work, because dpkg-source insist that
patches apply without fuzz.
So here's a
