"Correctly parse C-style diff filenames in Dpkg::Source::Patch, to avoid directory traversal attempts from hostile source packages when unpacking them. Reported by Jakub Wilk <jwilk@debian.org>. Fixes CVE-2014-0471."
Arch teams, please test and mark stable: =app-arch/dpkg-1.17.8 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
amd64 stable
x86 stable
There was an upstream glitch in the Matrix. Arch teams, please test and mark stable: =app-arch/dpkg-1.17.9 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
arm stable
??
ppc stable
ppc64 stable
ia64 stable
sparc stable
alpha stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Looks like Arm was missed during stabilization, setting back to stable.
arm stable, all arches done.
CVE-2014-0471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0471): Directory traversal vulnerability in the unpacking functionality in dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8 allows remote attackers to write arbitrary files via a crafted source package, related to "C-style filename quoting."
GLSA vote: no.
We have 3 other bugs in GLSA status that can be bundled with this, so YES.
No GLSA being issued for dpkg.