| Summary: | sys-devel/patch, <app-arch/dpkg-1.15.8.8: directory traversal flaw allows for arbitrary file creation (CVE-2010-{1679,4651}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system, deb-tools+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=667529 | ||
| Whiteboard: | B2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Paweł Hajdan, Jr. (RETIRED)
2011-01-06 20:12:02 UTC
Changes:
dpkg (1.15.8.8) unstable; urgency=low
.
[ Guillem Jover ]
* Truncate the output part file on “dpkg-split -s”. Regression introduced
with the C rewrite.
.
[ Updated man page translations ]
* Two typos fixed in French (Christian Perrier, thanks to Julien
Valroff).
.
[ Raphaël Hertzog ]
* Fix multiple security issues with dpkg-source (CVE-2010-1679):
- Enhance checks to catch maliciously crafted patches which could modify
files outside of the unpacked source package.
- Do not consider a top-level symlink like a directory when
extracting a tarball.
- Exclude .pc while extracting the upstream tarball in 3.0 (quilt)
as patch blindly writes in that directory during unpack (and would
follow any existing symlink).
(In reply to comment #0) > > I suggest rating this B2. > Agreed. Feel free to set the status whiteboard going forward; someone will ping you if they disagree. ;) I believe CVE-2010-1679 is for dpkg, and according to http://www.openwall.com/lists/oss-security/2011/01/06/20, CVE-2010-4651 is for patch. Arch teams, please test and mark stable: =app-arch/dpkg-1.15.8.8 Target KEYWORDS="alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Sadly there was a new unkeyworded src_test() dependency for alpha arm hppa ia64 ppc ppc64 and sparc: dev-perl/DateTime-Format-DateParse Either mark that and its dependencies stable or mask the app-arch/dpkg[test] USE flag in your profiles. amd64 ok amd64 done. Thanks Agostino x86 stable ppc/ppc64 stable Stable for HPPA. I think ARM and ALPHA are good too: # ChangeLog for app-arch/dpkg # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/app-arch/dpkg/ChangeLog,v 1.149 2011/01/08 18:55:28 jer Exp $ 08 Jan 2011; Jeroen Roovers <jer@gentoo.org> dpkg-1.15.8.8.ebuild: Stable for HPPA (bug #350877). 08 Jan 2011; Raúl Porcel <armin76@gentoo.org> dpkg-1.15.8.8.ebuild: alpha/arm/ia64/s390/sh/sparc stable wrt #350877 alpha/arm/ia64/m68k/s390/sh/sparc stable A fixed app-arch/dpkg has been stabilized, but we are waiting on a fixed version of sys-devel/patch.Updating the status whiteboard to show that. The Red Hat bug (https://bugzilla.redhat.com/show_bug.cgi?id=667529) now contains a patch for patch at https://bugzilla.redhat.com/attachment.cgi?id=476365. sys-devel/patch upstream commit: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=685a78b6052f4df6eac6d625a545cfb54a6ac0e1 unfortunately, they keep finding bugs in the new behavior, so i'm not really comfortable adding any patches to patch right now. @maintainers: is there a fixed version in tree for patch now? (In reply to Chris Reffett from comment #14) i don't believe upstream has merged a fix for the issue By sec team decision, no GLSA for dpkg. Still waiting on patch. The affected version has been out of tree for a while. Thank you all. Closing as noglsa. |
