Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645096 - <app-arch/dpkg-1.19.0.5: dpkg-deb --raw-extract: directory traversal via /DEBIAN symlink
Summary: <app-arch/dpkg-1.19.0.5: dpkg-deb --raw-extract: directory traversal via /DEB...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://tracker.debian.org/news/901826
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-20 10:26 UTC by Jeroen Roovers (RETIRED)
Modified: 2018-04-09 00:28 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/dpkg-1.19.0.5
Runtime testing required: ---
slyfox: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2018-01-20 10:26:23 UTC 
Changes:
 dpkg (1.19.0.5) unstable; urgency=medium
 .
   * Fix directory traversal with dpkg-deb --raw-extract, by guaranteeing
     that the DEBIAN pathname does not exist. Closes: #879982
     Reported by Jakub Wilk <jwilk@jwilk.net>.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-21 23:50:09 UTC 
@ Arches,

please test and mark stable: =app-arch/dpkg-1.19.0.5
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-25 18:22:11 UTC 
x86 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-28 07:55:27 UTC 
commit d786e56f77d338b6599807ca7ef9f94dfaae4e32
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Feb 23 08:41:36 2018 +0100

    app-arch/dpkg: stable 1.19.0.5 for sparc, bug #645096
Comment 4 Agostino Sarubbo gentoo-dev 2018-02-28 09:10:21 UTC 
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-28 20:59:58 UTC 
commit 62e51ef7884ca7047db39c9de639dfcd94343821
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Fri Feb 23 13:55:28 2018 +0100

    app-arch/dpkg: Stable for HPPA too.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-28 21:49:41 UTC 
ia64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-04 16:25:15 UTC 
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2018-03-13 17:52:10 UTC 
arm stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-23 00:03:41 UTC 
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-30 17:28:34 UTC 
ppc64 stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2018-04-09 00:28:02 UTC 
No PoC for ACE/RCE.  Downgraded.

GLSA Vote: No