Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 309633 (CVE-2010-0396) - <app-arch/dpkg- applies patches containing insecure paths - (CVE-2010-0396)
Summary: <app-arch/dpkg- applies patches containing insecure paths - (CVE-201...
Alias: CVE-2010-0396
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1? [noglsa]
Depends on:
Reported: 2010-03-15 19:20 UTC by Jeroen Roovers (RETIRED)
Modified: 2014-06-15 00:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2010-03-15 19:20:15 UTC
As stated in [1] (but I have no idea if and how this affects us):

   * Modify dpkg-source to error out when it would apply patches containing
     insecure paths (with "/../") and also error out when it would apply a
     patch through a symlink. Those checks are required as patch will happily
     modify files outside of the target directory and unpacking a source package
     should not be able to have any side-effect outside of the target
     directory. Fixes CVE-2010-0396.

The issue is fixed in both 1.14.29, which we no longer distribute, and 1.15.6, which will enter the tree shortly.

[1] (dpkg
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-19 17:32:21 UTC
1.15.6 is in the tree already.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-19 22:28:50 UTC
deb-tools: is it ok to go stable?
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-21 23:40:36 UTC
deb-tools == yvasilev and I so I don't see what's holding you back...
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:47:02 UTC
CVE-2010-0396 (
  Directory traversal vulnerability in the dpkg-source component in
  dpkg before 1.14.29 allows remote attackers to modify arbitrary files
  via a crafted Debian source archive.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-01 13:33:45 UTC is good to go according to [1] whereas 1.15.6 is not.

Arch teams, please test and mark stable:

Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-04-02 13:32:25 UTC
ppc done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-04-02 14:14:00 UTC
Stable for HPPA.
Comment 8 Andreas Schürch gentoo-dev 2010-04-02 17:30:22 UTC
Tests passed successfully on x86 also.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-04-03 15:20:31 UTC
x86 stable, thanks Andreas
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-04-04 18:51:35 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Markus Meier gentoo-dev 2010-04-15 21:07:05 UTC
amd64 stable
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2010-10-23 22:32:41 UTC
ppc64 doesn't have a version that is marked as stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:06:11 UTC
Thanks, folks. GLSA request filed.
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-15 00:10:50 UTC
Old. No GLSA.