Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 567258 (CVE-2015-0860)

Summary: <app-arch/dpkg-1.17.26: stack overflows and out of bounds read (CVE-2015-0860)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: deb-tools+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1286011
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-12-01 13:43:35 UTC
From ${URL} :

Debian fixed the following flaw in dpkg:

Hanno Boeck discovered a stack-based buffer overflow in the dpkg-deb component of dpkg, the Debian 
package management system. This flaw could potentially lead to arbitrary code execution if a user 
or an automated system were tricked into processing a specially crafted Debian binary package 
(.deb) in the old style Debian binary package format.

Additional information:

https://lists.debian.org/debian-security-announce/2015/msg00312.html
http://seclists.org/oss-sec/2015/q4/389


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-02 14:22:42 UTC
Arch teams, please test and mark stable:
=app-arch/dpkg-1.17.26
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Agostino Sarubbo gentoo-dev 2015-12-03 10:08:06 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-04 06:45:35 UTC
Stable for HPPA.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-04 06:58:22 UTC
Stable for PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-07 11:41:31 UTC
ppc stable
Comment 6 Markus Meier gentoo-dev 2015-12-09 05:49:49 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-12-25 18:21:46 UTC
x86 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-25 19:47:36 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-01-10 10:42:25 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-11 09:08:27 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:06:24 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-04 11:02:24 UTC
This issue was resolved and addressed in
 GLSA 201612-07 at https://security.gentoo.org/glsa/201612-07
by GLSA coordinator Aaron Bauman (b-man).