Summary: | <app-arch/dpkg-1.17.9: dpkg-source: directory traversal during unpack (CVE-2014-0471) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://security-tracker.debian.org/tracker/CVE-2014-0471 | ||
See Also: | http://bugs.debian.org/746306 | ||
Whiteboard: | C3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 506100 |
Description
Jeroen Roovers (RETIRED)
2014-04-28 21:37:46 UTC
Arch teams, please test and mark stable: =app-arch/dpkg-1.17.8 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable There was an upstream glitch in the Matrix. Arch teams, please test and mark stable: =app-arch/dpkg-1.17.9 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. arm stable amd64 stable ?? ppc stable ppc64 stable ia64 stable sparc stable alpha stable x86 stable. Maintainer(s), please cleanup. Security, please vote. Looks like Arm was missed during stabilization, setting back to stable. arm stable, all arches done. CVE-2014-0471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0471): Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting." GLSA vote: no. We have 3 other bugs in GLSA status that can be bundled with this, so YES. No GLSA being issued for dpkg. |