| Summary: | <app-arch/dpkg-1.15.6.1: applies patches containing insecure paths - (CVE-2010-0396) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | normal | CC: | deb-tools+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B1? [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
1.15.6 is in the tree already. deb-tools: is it ok to go stable? deb-tools == yvasilev and I so I don't see what's holding you back... CVE-2010-0396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0396): Directory traversal vulnerability in the dpkg-source component in dpkg before 1.14.29 allows remote attackers to modify arbitrary files via a crafted Debian source archive. 1.15.6.1 is good to go according to [1] whereas 1.15.6 is not. Arch teams, please test and mark stable: =app-arch/dpkg-1.15.6.1 [1] http://security-tracker.debian.org/tracker/CVE-2010-0396 ppc done Stable for HPPA. Tests passed successfully on x86 also. x86 stable, thanks Andreas alpha/arm/ia64/m68k/s390/sh/sparc stable amd64 stable ppc64 doesn't have a version that is marked as stable. Thanks, folks. GLSA request filed. Old. No GLSA. |
As stated in [1] (but I have no idea if and how this affects us): * Modify dpkg-source to error out when it would apply patches containing insecure paths (with "/../") and also error out when it would apply a patch through a symlink. Those checks are required as patch will happily modify files outside of the target directory and unpacking a source package should not be able to have any side-effect outside of the target directory. Fixes CVE-2010-0396. The issue is fixed in both 1.14.29, which we no longer distribute, and 1.15.6, which will enter the tree shortly. [1] http://packages.qa.debian.org/d/dpkg/news/20100315T110309Z.html (dpkg changelog)