512648 – (CVE-2014-3864) <app-arch/dpkg-1.17.10: multiple vulnerabilities (CVE-2014-{3864,3865})

Bug 512648 (CVE-2014-3864) - <app-arch/dpkg-1.17.10: multiple vulnerabilities (CVE-2014-{3864,3865})

Summary: <app-arch/dpkg-1.17.10: multiple vulnerabilities (CVE-2014-{3864,3865})

Status:	RESOLVED FIXED

Alias:	CVE-2014-3864

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-06-07 13:00 UTC by Jeroen Roovers (RETIRED)
Modified:	2014-06-17 17:52 UTC (History)
CC List:	1 user (show)

See Also:	http://bugs.debian.org/746498 http://bugs.debian.org/749183
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2014-06-07 13:00:04 UTC

dpkg-source: Directory traversal on unpack through missing --- header line
 https://security-tracker.debian.org/tracker/CVE-2014-3864
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746498

dpkg-source: Directory traversal on unpack through Index: pseudo-header
 https://security-tracker.debian.org/tracker/CVE-2014-3865
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749183

Comment 1 Jeroen Roovers (RETIRED) gentoo-dev

2014-06-07 13:01:38 UTC

Arch teams, please test and mark stable:
=app-arch/dpkg-1.17.10
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2014-06-07 19:54:42 UTC

Stable for HPPA.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2014-06-08 00:52:17 UTC

CVE-2014-3865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3865):
  Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev
  1.3.0 allow remote attackers to modify files outside of the intended
  directories via a source package with a crafted Index: pseudo-header in
  conjunction with (1) missing --- and +++ header lines or (2) a +++ header
  line with a blank pathname.

CVE-2014-3864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3864):
  Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows
  remote attackers to modify files outside of the intended directories via a
  crafted source package that lacks a --- header line.

Comment 4 Agostino Sarubbo gentoo-dev

2014-06-08 09:39:09 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-06-08 10:32:54 UTC

alpha stable

Comment 6 Agostino Sarubbo gentoo-dev

2014-06-08 10:35:48 UTC

arm stable

Comment 7 Agostino Sarubbo gentoo-dev

2014-06-08 10:42:13 UTC

ia64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2014-06-08 10:45:50 UTC

ppc64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2014-06-08 10:49:11 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-06-08 10:51:46 UTC

sparc stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-06-08 10:55:46 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 12 Yury German Gentoo Infrastructure

2014-06-17 17:52:56 UTC

Maintainer(s), Thank you for cleanup!

Noglsa - All current dpkg bugs are not serious enough for glsa.