309633 – (CVE-2010-0396) <app-arch/dpkg-1.15.6.1: applies patches containing insecure paths - (CVE-2010-0396)

Bug 309633 (CVE-2010-0396) - <app-arch/dpkg-1.15.6.1: applies patches containing insecure paths - (CVE-2010-0396)

Summary: <app-arch/dpkg-1.15.6.1: applies patches containing insecure paths - (CVE-201...

Status:	RESOLVED WONTFIX

Alias:	CVE-2010-0396

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1? [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-03-15 19:20 UTC by Jeroen Roovers (RETIRED)
Modified:	2014-06-15 00:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2010-03-15 19:20:15 UTC

As stated in [1] (but I have no idea if and how this affects us):

   * Modify dpkg-source to error out when it would apply patches containing
     insecure paths (with "/../") and also error out when it would apply a
     patch through a symlink. Those checks are required as patch will happily
     modify files outside of the target directory and unpacking a source package
     should not be able to have any side-effect outside of the target
     directory. Fixes CVE-2010-0396.


The issue is fixed in both 1.14.29, which we no longer distribute, and 1.15.6, which will enter the tree shortly.


[1] http://packages.qa.debian.org/d/dpkg/news/20100315T110309Z.html (dpkg
    changelog)

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2010-03-19 17:32:21 UTC

1.15.6 is in the tree already.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2010-03-19 22:28:50 UTC

deb-tools: is it ok to go stable?

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2010-03-21 23:40:36 UTC

deb-tools == yvasilev and I so I don't see what's holding you back...

Comment 4 Alex Legler (RETIRED) archtester

2010-03-31 19:47:02 UTC

CVE-2010-0396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0396):
  Directory traversal vulnerability in the dpkg-source component in
  dpkg before 1.14.29 allows remote attackers to modify arbitrary files
  via a crafted Debian source archive.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2010-04-01 13:33:45 UTC

1.15.6.1 is good to go according to [1] whereas 1.15.6 is not.

Arch teams, please test and mark stable:
=app-arch/dpkg-1.15.6.1


[1] http://security-tracker.debian.org/tracker/CVE-2010-0396

Comment 6 Brent Baude (RETIRED) gentoo-dev

2010-04-02 13:32:25 UTC

ppc done

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2010-04-02 14:14:00 UTC

Stable for HPPA.

Comment 8 Andreas Schürch gentoo-dev

2010-04-02 17:30:22 UTC

Tests passed successfully on x86 also.

Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-04-03 15:20:31 UTC

x86 stable, thanks Andreas

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2010-04-04 18:51:35 UTC

alpha/arm/ia64/m68k/s390/sh/sparc stable

Comment 11 Markus Meier gentoo-dev

2010-04-15 21:07:05 UTC

amd64 stable

Comment 12 Mark Loeser (RETIRED) gentoo-dev

2010-10-23 22:32:41 UTC

ppc64 doesn't have a version that is marked as stable.

Comment 13 Tim Sammut (RETIRED) gentoo-dev

2011-01-02 04:06:11 UTC

Thanks, folks. GLSA request filed.

Comment 14 Chris Reffett (RETIRED) gentoo-dev

2014-06-15 00:10:50 UTC

Old. No GLSA.