Jakub Wilk discovered that the dpkg-source component of dpkg, the Debian
package management system, doesn't correctly handle paths in patches of
source packages, which could make it traverse directories.
Raphaël Hertzog additionally discovered that symbolic links in the .pc
directory are followed, which could make it traverse directories too.
Both issues only affect source packages using the "3.0 quilt" format at
I suggest rating this B2.
dpkg (220.127.116.11) unstable; urgency=low
[ Guillem Jover ]
* Truncate the output part file on “dpkg-split -s”. Regression introduced
with the C rewrite.
[ Updated man page translations ]
* Two typos fixed in French (Christian Perrier, thanks to Julien
[ Raphaël Hertzog ]
* Fix multiple security issues with dpkg-source (CVE-2010-1679):
- Enhance checks to catch maliciously crafted patches which could modify
files outside of the unpacked source package.
- Do not consider a top-level symlink like a directory when
extracting a tarball.
- Exclude .pc while extracting the upstream tarball in 3.0 (quilt)
as patch blindly writes in that directory during unpack (and would
follow any existing symlink).
(In reply to comment #0)
> I suggest rating this B2.
Agreed. Feel free to set the status whiteboard going forward; someone will ping you if they disagree. ;)
I believe CVE-2010-1679 is for dpkg, and according to http://www.openwall.com/lists/oss-security/2011/01/06/20, CVE-2010-4651 is for patch.
Arch teams, please test and mark stable:
Target KEYWORDS="alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Sadly there was a new unkeyworded src_test() dependency for alpha arm hppa ia64 ppc ppc64 and sparc:
Either mark that and its dependencies stable or mask the app-arch/dpkg[test] USE flag in your profiles.
amd64 done. Thanks Agostino
Stable for HPPA. I think ARM and ALPHA are good too:
# ChangeLog for app-arch/dpkg
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/app-arch/dpkg/ChangeLog,v 1.149 2011/01/08 18:55:28 jer Exp $
08 Jan 2011; Jeroen Roovers <email@example.com> dpkg-18.104.22.168.ebuild:
Stable for HPPA (bug #350877).
08 Jan 2011; Raúl Porcel <firstname.lastname@example.org> dpkg-22.214.171.124.ebuild:
alpha/arm/ia64/s390/sh/sparc stable wrt #350877
A fixed app-arch/dpkg has been stabilized, but we are waiting on a fixed version of sys-devel/patch.Updating the status whiteboard to show that.
The Red Hat bug (https://bugzilla.redhat.com/show_bug.cgi?id=667529) now contains a patch for patch at https://bugzilla.redhat.com/attachment.cgi?id=476365.
sys-devel/patch upstream commit: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=685a78b6052f4df6eac6d625a545cfb54a6ac0e1
unfortunately, they keep finding bugs in the new behavior, so i'm not really comfortable adding any patches to patch right now.
@maintainers: is there a fixed version in tree for patch now?
(In reply to Chris Reffett from comment #14)
i don't believe upstream has merged a fix for the issue
By sec team decision, no GLSA for dpkg. Still waiting on patch.
The affected version has been out of tree for a while.
Thank you all. Closing as noglsa.