Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 309633 (CVE-2010-0396)

Summary: <app-arch/dpkg-1.15.6.1: applies patches containing insecure paths - (CVE-2010-0396)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WONTFIX    
Severity: normal CC: deb-tools+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1? [noglsa]
Package list:
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2010-03-15 19:20:15 UTC
As stated in [1] (but I have no idea if and how this affects us):

   * Modify dpkg-source to error out when it would apply patches containing
     insecure paths (with "/../") and also error out when it would apply a
     patch through a symlink. Those checks are required as patch will happily
     modify files outside of the target directory and unpacking a source package
     should not be able to have any side-effect outside of the target
     directory. Fixes CVE-2010-0396.


The issue is fixed in both 1.14.29, which we no longer distribute, and 1.15.6, which will enter the tree shortly.


[1] http://packages.qa.debian.org/d/dpkg/news/20100315T110309Z.html (dpkg
    changelog)
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-19 17:32:21 UTC
1.15.6 is in the tree already.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-19 22:28:50 UTC
deb-tools: is it ok to go stable?
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-21 23:40:36 UTC
deb-tools == yvasilev and I so I don't see what's holding you back...
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:47:02 UTC
CVE-2010-0396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0396):
  Directory traversal vulnerability in the dpkg-source component in
  dpkg before 1.14.29 allows remote attackers to modify arbitrary files
  via a crafted Debian source archive.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-01 13:33:45 UTC
1.15.6.1 is good to go according to [1] whereas 1.15.6 is not.

Arch teams, please test and mark stable:
=app-arch/dpkg-1.15.6.1


[1] http://security-tracker.debian.org/tracker/CVE-2010-0396
Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-04-02 13:32:25 UTC
ppc done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-02 14:14:00 UTC
Stable for HPPA.
Comment 8 Andreas Schürch gentoo-dev 2010-04-02 17:30:22 UTC
Tests passed successfully on x86 also.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-04-03 15:20:31 UTC
x86 stable, thanks Andreas
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-04-04 18:51:35 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Markus Meier gentoo-dev 2010-04-15 21:07:05 UTC
amd64 stable
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2010-10-23 22:32:41 UTC
ppc64 doesn't have a version that is marked as stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:06:11 UTC
Thanks, folks. GLSA request filed.
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-15 00:10:50 UTC
Old. No GLSA.