Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 350877 (CVE-2010-1679) - sys-devel/patch, <app-arch/dpkg- directory traversal flaw allows for arbitrary file creation (CVE-2010-{1679,4651})
Summary: sys-devel/patch, <app-arch/dpkg- directory traversal flaw allows for...
Alias: CVE-2010-1679
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Reported: 2011-01-06 20:12 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2015-12-31 06:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-06 20:12:02 UTC
Jakub Wilk discovered that the dpkg-source component of dpkg, the Debian
package management system, doesn't correctly handle paths in patches of
source packages, which could make it traverse directories.
Raphaël Hertzog additionally discovered that symbolic links in the .pc
directory are followed, which could make it traverse directories too.

Both issues only affect source packages using the "3.0 quilt" format at

I suggest rating this B2.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-06 22:25:26 UTC
 dpkg ( unstable; urgency=low
   [ Guillem Jover ]
   * Truncate the output part file on “dpkg-split -s”. Regression introduced
     with the C rewrite.
   [ Updated man page translations ]
   * Two typos fixed in French (Christian Perrier, thanks to Julien
   [ Raphaël Hertzog ]
   * Fix multiple security issues with dpkg-source (CVE-2010-1679):
     - Enhance checks to catch maliciously crafted patches which could modify
       files outside of the unpacked source package.
     - Do not consider a top-level symlink like a directory when
       extracting a tarball.
     - Exclude .pc while extracting the upstream tarball in 3.0 (quilt)
       as patch blindly writes in that directory during unpack (and would
       follow any existing symlink).
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-01-07 06:03:53 UTC
(In reply to comment #0)
> I suggest rating this B2.

Agreed. Feel free to set the status whiteboard going forward; someone will ping you if they disagree. ;) 

I believe CVE-2010-1679 is for dpkg, and according to, CVE-2010-4651 is for patch.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-07 15:47:47 UTC
Arch teams, please test and mark stable:
Target KEYWORDS="alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Sadly there was a new unkeyworded src_test() dependency for alpha arm hppa ia64 ppc ppc64 and sparc:

Either mark that and its dependencies stable or mask the app-arch/dpkg[test] USE flag in your profiles.
Comment 4 Agostino Sarubbo gentoo-dev 2011-01-07 16:17:12 UTC
amd64 ok
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-01-07 17:52:24 UTC
amd64 done. Thanks Agostino
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-01-07 23:44:35 UTC
x86 stable
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-08 09:44:41 UTC
ppc/ppc64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-08 18:57:53 UTC
Stable for HPPA. I think ARM and ALPHA are good too:

# ChangeLog for app-arch/dpkg
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/app-arch/dpkg/ChangeLog,v 1.149 2011/01/08 18:55:28 jer Exp $

  08 Jan 2011; Jeroen Roovers <> dpkg-
  Stable for HPPA (bug #350877).

  08 Jan 2011; Raúl Porcel <> dpkg-
  alpha/arm/ia64/s390/sh/sparc stable wrt #350877
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-01-08 19:55:07 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-11 01:00:56 UTC
A fixed app-arch/dpkg has been stabilized, but we are waiting on a fixed version of sys-devel/patch.Updating the status whiteboard to show that.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-02-01 13:48:05 UTC
The Red Hat bug ( now contains a patch for patch at
Comment 12 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-04 21:04:12 UTC
sys-devel/patch upstream commit:
Comment 13 SpanKY gentoo-dev 2011-02-10 20:58:36 UTC
unfortunately, they keep finding bugs in the new behavior, so i'm not really comfortable adding any patches to patch right now.
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 18:36:25 UTC
@maintainers: is there a fixed version in tree for patch now?
Comment 15 SpanKY gentoo-dev 2013-12-25 08:56:09 UTC
(In reply to Chris Reffett from comment #14)

i don't believe upstream has merged a fix for the issue
Comment 16 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-15 00:10:04 UTC
By sec team decision, no GLSA for dpkg. Still waiting on patch.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 06:20:14 UTC
The affected version has been out of tree for a while.
Thank you all. Closing as noglsa.