dpkg-source: Directory traversal on unpack through Index: pseudo-header

Debian Bug report logs - #749183
dpkg-source: Directory traversal on unpack through Index: pseudo-header

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: submit@bugs.debian.org

Subject: dpkg-source: Directory traversal through Index: pseudo-header

Date: Sun, 25 May 2014 00:52:56 +0200

Package: dpkg-dev
Version: 1.3.0
Seveity: important
Tags: security

Hi!

The Dpkg::Source::Patch module does not properly parse and validate
patches, and lets doctored patches through that:

  * use an «Index:» pseudo-header with a pathname that does a directory
    traversal, and
  * have either
    - no «--- » and «+++ » header lines, or
    - have only a «+++ » with an empty pathname.

For example:

,--- exploit.patch ---
Index: index/symlink/index-file
@@ -0,0 +1,1 @@
+Escaped
`---

or

,--- exploit.patch ---
Index: index/symlink/index-file
+++ 
@@ -0,0 +1,1 @@
+Escaped
`---

where «symlink» is a symbolic link in the source root directory allowing
the directory traversal.

The semantics on when to use which pathname here [G] are slightly
different than what GNU patch does on POSIX mode [P], because we
explicitly disable POSIX mode on invocation.

  [G] Please refer to GNU patch 2.7.1 src/pch.c intuit_diff_type().
  [P] <http://pubs.opengroup.org/onlinepubs/9699919799/utilities/patch.html>

This should mainly affect unpacking source packages from untrusted
origins, so should not affect packages coming from the Debian archive
for example.

The version is the one when dpkg-source was introduced. The one
introducing the currently used patch parsing code was 1.13.9.

This is filed publicly now to ease the process of getting a CVE id,
patches for this and the other security issue have been created and
are pending for upload, once the id has been assigned.

Thanks,
Guillem

Message #14 received at 749183-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 749183-submitter@bugs.debian.org

Subject: Bug#749183 marked as pending

Date: Thu, 05 Jun 2014 19:33:38 +0000

tag 749183 pending
thanks

Hello,

Bug #749183 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=5348cbc

---
commit 5348cbc981a65c3c9b05bb4d13553bda930c2d78
Author: Guillem Jover <guillem@debian.org>
Date:   Fri May 2 01:41:18 2014 +0200

    Dpkg::Source::Patch: Fix patch header parsing to avoid directory traversals
    
    The code parsing the patches was not taking into account that patches
    w/ partial or no pathname headers are still valid patches, and that
    they can specify the pathname in the Index: pseudo-header or in a
    single «+++ » pathname header, which allows doing directory traversal
    when unpacking source packages.
    
    The first vector is due to how the Index: pseudo-header is handled by
    patch. Its value gets used (on non-POSIX mode) only when both «+++ »
    and «--- » pathname headers do not provide a pathname, by either having
    an empty pathname or by the header being completely absent. The minimal
    fix for this is to just consider that we've parsed the header when we
    see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183.
    
    The other vector is due to patches with only a «+++ » pathname header,
    which get skipped by the parser as it only checks for «--- » pathname
    header lines. The minimal fix for this is to also check for «+++ » when
    parsing the patch header. This is CVE-2014-3864 and #746498.
    
    The first issue is a superset of the second, and its fix is sufficient
    and covers and fixes too the second vector, as the «@@ -» marker is
    mandatory for a patch to be valid.
    
    An unspecified directory traversal vulnerability was initially reported
    in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no
    information had been provided, I independently found #749183 and what
    was supposed to be #746498, which was later on published.
    
    Fixes: CVE-2014-3864, CVE-2014-3865
    Closes: #746498, #749183

diff --git a/debian/changelog b/debian/changelog
index ba0c19f..80990a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -66,6 +66,13 @@ dpkg (1.17.10) UNRELEASED; urgency=low
     Thanks to Hleb Valoshka <375gnu@gmail.com>.
   * Add support for DragonFlyBSD to start-stop-daemon. Closes: #734452
     Based on a patch by Hleb Valoshka <375gnu@gmail.com>.
+  * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
+    traversal attempts from hostile source packages when unpacking them.
+    Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
+    directory traversal; meanwhile also independently found by me both
+    #749183 and what was supposed to be #746498, which was later on published
+    and ended up being just a subset of the other non-reported issue.
+    Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
 
   [ Updated programs translations ]
   * Catalan (Guillem Jover).

Message #19 received at 749183-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 749183-close@bugs.debian.org

Subject: Bug#749183: fixed in dpkg 1.17.10

Date: Thu, 05 Jun 2014 19:48:41 +0000

Source: dpkg
Source-Version: 1.17.10

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 749183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Jun 2014 20:18:04 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.17.10
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 584233 731530 734452 746122 746498 746973 747148 747370 748012 748544 749044 749183 750105
Changes: 
 dpkg (1.17.10) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * Use libtool to build the static libraries, which makes it possible to
     embed libcompat inside libdpkg, as required by some external programs
     linking against the latter. Closes: #746122
   * Fix word wrapping logic in dselect. Regression introduced in dpkg 1.17.3.
   * Fix possible out of bounds buffer read access in the error output on
     bogus ar member sizes.
   * Fix memory leaks in buffer_copy() on error conditions.
   * Test suite:
     - Improve C code coverage.
     - Add template test cases for most perl modules.
     - Add test cases for Dpkg::Deps OR relationships.
     - Add minimal test case for Dpkg::Source::Quilt.
     - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
     - Add test case for patch disabling hunks; not security sensitive.
   * Fix non-security sensitive TOCTOU race in triggers database loading.
   * Fix non-security sensitive TOCTOU race in update-alternative alternative
     database loading.
   * Fix non-security sensitive TOCTOU race in update-alternative rename code.
   * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that
     prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe.
     Closes: #731530
   * Move dpkg-architecture -L argument to the Commands --help output section.
   * Make dpkg-maintscript-helper print only once that we are moving a
     conffile, and not on every interim state transition. Closes: #747370
   * Do not use global match variables in perl code.
   * Man pages:
     - Attempt to clarify and improve wording of some strange or confused
       constructs. Reported by Helge Kreutzmann.
     - Expand Vcs-* field names into each supported field name in
       deb-src-control(5) to make it easier to search for them.
     - Change control.tar.gz reference to simply control.tar in deb(5).
     - Document in dpkg-deb(1) -Z option that bzip2 and lzma are deprecated.
     - Add notes in dpkg-gensymbols(1) about symbol backward-compatibility.
       Based on a patch by Bernhard R. Link <brlink@debian.org>.
       Closes: #746973
     - Document that dpkg-buildpackage(1) -j argument is optional.
     - Add current and deprecated media types to deb(5).
     - Document in dpkg(1) that --audit now does more than just searching for
       partially installed packages.
   * Add support for automatic parallel job selection in dpkg-buildpackage,
     matching currently active processors, when using -jauto. Closes: #748012
   * Perl modules:
     - Bump $VERSION for Dpkg::Patch, missed in 1.16.1.
     - Bump $VERSION for Dpkg::Deps, missed in 1.17.0.
     - Update and fix CHANGES POD sections for public modules.
     - Add missing Dpkg::Deps::Multiple profile_is_concerned() and
       reduce_profiles() methods, inherited by Dpkg::Deps::Union,
       Dpkg::Deps::AND and Dpkg::Deps::OR.
   * Do not mangle quilt series files with a missing newline on the last line.
     Closes: #584233
   * Quiesce tar warnings in cron job by redirecting stderr to /dev/null, as
     it seems --warning=none does not work correctly. Closes: #748544
   * Do not emit a trailing space from Dpkg::Control::Hash on a field's empty
     first line. Bump dpkg-dev Breaks on devscripts to 2.14.4, as previous
     versions expect a trailing space from dpkg-parsechangelog output.
     Based on a patch by Johannes Schauer <j.schauer@email.de>. Closes: #749044
   * Do not assume that sensible-editor is present on «dpkg-source --commit»,
     as that command is very Debian specific. Fallback to try VISUAL, EDITOR,
     or vi, if the previous commands are either unset or not found.
   * Use badusage() instead of ohshit() on dpkg --ignore-depends argument
     parsing errors.
   * Add per package dpkg --audit support.
   * Add support for DragonFlyBSD to ostable and triplettable.
     Thanks to Hleb Valoshka <375gnu@gmail.com>.
   * Add support for DragonFlyBSD to start-stop-daemon. Closes: #734452
     Based on a patch by Hleb Valoshka <375gnu@gmail.com>.
   * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
     traversal attempts from hostile source packages when unpacking them.
     Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
     directory traversal; meanwhile also independently found by me both
     #749183 and what was supposed to be #746498, which was later on published
     and ended up being just a subset of the other non-reported issue.
     Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
 .
   [ Updated programs translations ]
   * Catalan (Guillem Jover).
   * Italian (Milo Casagrande). Closes: #750105
 .
   [ Updated scripts translations ]
   * German (Helge Kreutzmann).
 .
   [ Updated manpages translations ]
   * German (Helge Kreutzmann).
 .
   [ Raphaël Hertzog ]
   * Let dpkg-source unpack additional tarballs in a deterministic order.
     Thanks to Samuel Bronson for the report. Closes: #747148
Checksums-Sha1: 
 c91e1e1bb0dc5918f20e3874c4b371425dac0da3 2055 dpkg_1.17.10.dsc
 2d88ef04db662d046fadb005bb31667fc0ba64de 4198340 dpkg_1.17.10.tar.xz
 be325d2d7fac12f031e537b5ed269724542f118c 799530 libdpkg-dev_1.17.10_amd64.deb
 ab90f4afdca78f0a5b8cf359b6c1c31c8c3f9e66 2704088 dpkg_1.17.10_amd64.deb
 6e9d00f6e0e8155085c619090292a548373842c5 1059422 dselect_1.17.10_amd64.deb
 8c56a5720faf36231f2ce88c271d34941bb4d61b 1425374 dpkg-dev_1.17.10_all.deb
 6bbd6bddfe2a6af99cfbf547e5de9abbb48d7a81 974696 libdpkg-perl_1.17.10_all.deb
Checksums-Sha256: 
 8552763122f36a4ede1e040dee28a84202de9f4b65dbcc90e2c068101d2a599d 2055 dpkg_1.17.10.dsc
 a3a6d4da2b99484c04b2aa8af83d59d87a988baea627d276308467b22310b4d9 4198340 dpkg_1.17.10.tar.xz
 a6b8ed0b95af7748ee3daf9e297c94bb0ab166d7908bbc46e2f5ef5ab93c08b1 799530 libdpkg-dev_1.17.10_amd64.deb
 81a2e6111e825e8a01caa8bf2c8876d806fe9e7297deea0eb61e5a9d93c9a82c 2704088 dpkg_1.17.10_amd64.deb
 1a8a3924786f18c9e0432b8cb34c8c99576dd96221fab9cda2a0f3b5b7606d51 1059422 dselect_1.17.10_amd64.deb
 ba58996d596f73a312b9d92bf01f40f2eeac1ba6db4011875bfbd685371c9619 1425374 dpkg-dev_1.17.10_all.deb
 702028918cfda7e1eaf7391717818b2e6dd05b00b02e4091ea084791e8308234 974696 libdpkg-perl_1.17.10_all.deb
Files: 
 7c8852829f4caa99b6c3a232915ac28c 799530 libdevel optional libdpkg-dev_1.17.10_amd64.deb
 90ba5aa300a72a9a54eeda5990b2641f 2704088 admin required dpkg_1.17.10_amd64.deb
 b6f581a13931bfedde3719dc4340b476 1059422 admin optional dselect_1.17.10_amd64.deb
 405cccbb6024ecb98fa6fc8939365cbc 1425374 utils optional dpkg-dev_1.17.10_all.deb
 be5fa2aa735a59ec34d1e4c889c6b7d4 974696 perl optional libdpkg-perl_1.17.10_all.deb
 274a6b2892d179ed04ad916dd2103676 2055 admin required dpkg_1.17.10.dsc
 545f3cbac8b5f0b3d888574f3f79936c 4198340 admin required dpkg_1.17.10.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJTkMS1AAoJELlyvz6krlejNxcP+wT/0vQECEQh4CI3DIS9aPYE
FfvmpoHioGn8dE8Su318SeZy+IADIis9IeE6GytqwMGIIekh6tC4ES574GRuLiRc
Edy4IrAlLnrGfM5VbAh5f1F9vmgZkBy2Z8R/oRjnQthgy5SUbGe1Bx9jqbh4sR4k
94EsdCuAxTiDI9+O15prM2u3Vxe7TD4Z7n9kjD3Tj35THVp6okpj1qGbTQ9bQJ04
nIcaWtZf6NXxyTNvXJ9Ac8Cdv47q1/CB4yXNQf47v0U6Rjorvh4EHkWyEtVpP1Ps
JVprxVwuxb9ayYn5j2MeBcMWS3igyowsh9a23+lZCwz0SALChZMHeYV74TB1/b8p
Gc53g6jSjI6bKK5xy5hst7tcG/ALmY0HE+jpkgVK/EJPwGKYq1julwgjd6kmrHA+
MBGs3p5ZTbR2PmzLYAmyzD2Ctabz7dFHZpMJ0c3pPsrGLUYD89gSZqp2k4zmrPIp
EEkhJNCsUFJbnG0ZpEw5aYCCHgPcKWazvsGh/DgYYytrWatJkmzgZi4I8KW+jEYG
85volBskw5V6aqJWJ9Sum/W2A11iR3El46YKqfqqSI83D2ucLWE5eXaMF3o5x+LP
AJ/XshrbiouHSu4GKiH/N7WGbD9OSYpnU/fdNbtiw+GNUC5KfsztDFWUWmiX4JP1
XzNrK95rGu/atNhtRghC
=d8BF
-----END PGP SIGNATURE-----

Message #24 received at 749183-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 749183-submitter@bugs.debian.org

Subject: Bug#749183 marked as pending

Date: Thu, 05 Jun 2014 21:54:14 +0000

tag 749183 pending
thanks

Hello,

Bug #749183 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=7095952

---
commit 709595277b09eec1b4fc4b783a25d0dc02823ff1
Author: Guillem Jover <guillem@debian.org>
Date:   Fri May 2 01:41:18 2014 +0200

    Dpkg::Source::Patch: Fix patch header parsing to avoid directory traversals
    
    Cherry picked from commit 5348cbc981a65c3c9b05bb4d13553bda930c2d78.
    
    The code parsing the patches was not taking into account that patches
    w/ partial or no pathname headers are still valid patches, and that
    they can specify the pathname in the Index: pseudo-header or in a
    single «+++ » pathname header, which allows doing directory traversal
    when unpacking source packages.
    
    The first vector is due to how the Index: pseudo-header is handled by
    patch. Its value gets used (on non-POSIX mode) only when both «+++ »
    and «--- » pathname headers do not provide a pathname, by either having
    an empty pathname or by the header being completely absent. The minimal
    fix for this is to just consider that we've parsed the header when we
    see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183.
    
    The other vector is due to patches with only a «+++ » pathname header,
    which get skipped by the parser as it only checks for «--- » pathname
    header lines. The minimal fix for this is to also check for «+++ » when
    parsing the patch header. This is CVE-2014-3864 and #746498.
    
    The first issue is a superset of the second, and its fix is sufficient
    and covers and fixes too the second vector, as the «@@ -» marker is
    mandatory for a patch to be valid.
    
    An unspecified directory traversal vulnerability was initially reported
    in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no
    information had been provided, I independently found #749183 and what
    was supposed to be #746498, which was later on published.
    
    Fixes: CVE-2014-3864, CVE-2014-3865
    Closes: #746498, #749183

diff --git a/debian/changelog b/debian/changelog
index cbbbf8d..94e53ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,13 @@ dpkg (1.16.15) UNRELEASED; urgency=low
   [ Guillem Jover ]
   * Test suite:
     - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
+  * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
+    traversal attempts from hostile source packages when unpacking them.
+    Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
+    directory traversal; meanwhile also independently found by me both
+    #749183 and what was supposed to be #746498, which was later on published
+    and ended up being just a subset of the other non-reported issue.
+    Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
 
   [ Updated scripts translations ]
   * German (Helge Kreutzmann).

Message #27 received at 749183-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 749183-submitter@bugs.debian.org

Subject: Bug#749183 marked as pending

Date: Thu, 05 Jun 2014 21:54:40 +0000

tag 749183 pending
thanks

Hello,

Bug #749183 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=b171991

---
commit b1719917979ac339a610a27aef8de7f4dcf93887
Author: Guillem Jover <guillem@debian.org>
Date:   Fri May 2 01:41:18 2014 +0200

    Dpkg::Source::Patch: Fix patch header parsing to avoid directory traversals
    
    Cherry picked from commit 5348cbc981a65c3c9b05bb4d13553bda930c2d78.
    
    The code parsing the patches was not taking into account that patches
    w/ partial or no pathname headers are still valid patches, and that
    they can specify the pathname in the Index: pseudo-header or in a
    single «+++ » pathname header, which allows doing directory traversal
    when unpacking source packages.
    
    The first vector is due to how the Index: pseudo-header is handled by
    patch. Its value gets used (on non-POSIX mode) only when both «+++ »
    and «--- » pathname headers do not provide a pathname, by either having
    an empty pathname or by the header being completely absent. The minimal
    fix for this is to just consider that we've parsed the header when we
    see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183.
    
    The other vector is due to patches with only a «+++ » pathname header,
    which get skipped by the parser as it only checks for «--- » pathname
    header lines. The minimal fix for this is to also check for «+++ » when
    parsing the patch header. This is CVE-2014-3864 and #746498.
    
    The first issue is a superset of the second, and its fix is sufficient
    and covers and fixes too the second vector, as the «@@ -» marker is
    mandatory for a patch to be valid.
    
    An unspecified directory traversal vulnerability was initially reported
    in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no
    information had been provided, I independently found #749183 and what
    was supposed to be #746498, which was later on published.
    
    Fixes: CVE-2014-3864, CVE-2014-3865
    Closes: #746498, #749183

diff --git a/debian/changelog b/debian/changelog
index 613b988..621875c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,13 @@ dpkg (1.15.11) UNRELEASED; urgency=low
   [ Guillem Jover ]
   * Test suite:
     - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
+  * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
+    traversal attempts from hostile source packages when unpacking them.
+    Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
+    directory traversal; meanwhile also independently found by me both
+    #749183 and what was supposed to be #746498, which was later on published
+    and ended up being just a subset of the other non-reported issue.
+    Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
 
  -- Guillem Jover <guillem@debian.org>  Fri, 02 May 2014 00:09:43 +0200
 

Message #32 received at 749183-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 749183-close@bugs.debian.org

Subject: Bug#749183: fixed in dpkg 1.16.15

Date: Sun, 15 Jun 2014 21:33:14 +0000

Source: dpkg
Source-Version: 1.16.15

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 749183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Jun 2014 22:24:36 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.15
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 746498 749183
Changes: 
 dpkg (1.16.15) wheezy-security; urgency=high
 .
   [ Guillem Jover ]
   * Test suite:
     - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
     - Add test case for patch disabling hunks; not security sensitive.
   * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
     traversal attempts from hostile source packages when unpacking them.
     Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
     directory traversal; meanwhile also independently found by me both
     #749183 and what was supposed to be #746498, which was later on published
     and ended up being just a subset of the other non-reported issue.
     Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
 .
   [ Updated programs translations ]
   * Merge translated strings from master.
 .
   [ Updated scripts translations ]
   * German (Helge Kreutzmann).
 .
   [ Updated man page translations ]
   * Merge translated strings from master.
   * Unfuzzy or update trivial translations (Guillem Jover).
Checksums-Sha1: 
 be105c05324861a6864c782031ee04a9e52f1ca5 2016 dpkg_1.16.15.dsc
 c034f88c1ea9d8df7c5a84cc04bb7749e2b3617a 3800328 dpkg_1.16.15.tar.xz
 7dfd3227baecfe2ad664d50d6a55ba4f9cf83b02 696352 libdpkg-dev_1.16.15_amd64.deb
 7d947c681e58819378f602b285bb4fbc5ecce669 2656714 dpkg_1.16.15_amd64.deb
 52e908a53fda707b37479dbb5268dd878a8ef412 1159292 dselect_1.16.15_amd64.deb
 113be782cd7f9c6b9e3b55c55ecf50be1ca0d95e 1355958 dpkg-dev_1.16.15_all.deb
 47c95b017e2d3f914921bbf721e264312d815f0b 957964 libdpkg-perl_1.16.15_all.deb
Checksums-Sha256: 
 00f01b04878d80d40e8d9420e5d35200101c5201f4fad36d4197a50a1d4c465d 2016 dpkg_1.16.15.dsc
 92bca9901ba2d9300be42f6de8dbea59b8367a918a2abeeb47d2176c9cf86b55 3800328 dpkg_1.16.15.tar.xz
 cf9fd73f4c8f54451ed9f2418737e232c0c9dc8907867af22c96ba649e60d248 696352 libdpkg-dev_1.16.15_amd64.deb
 47831eef504efd77a3998a5fecea04c278ba4d5512405e9da42008f38d726413 2656714 dpkg_1.16.15_amd64.deb
 4370e54fd4743969ffb86b53905ed7b96f8735eb0e9367a25eab98223306be88 1159292 dselect_1.16.15_amd64.deb
 ac4b9142ba4653faed8b902a39115a97ecc40ded51e67d01634f19389a39ba17 1355958 dpkg-dev_1.16.15_all.deb
 18a40e9f826f7ada39a03356924b86f14cc342e2ee0209459e394c89095b8073 957964 libdpkg-perl_1.16.15_all.deb
Files: 
 3e0e5af42ed579f3bf721ea1a7020033 2016 admin required dpkg_1.16.15.dsc
 0e7d105a57839cdab2b0bf5e3612442f 3800328 admin required dpkg_1.16.15.tar.xz
 8db3cf1534386da5215c1916ba1fa38a 696352 libdevel optional libdpkg-dev_1.16.15_amd64.deb
 11948b8a099f6e51b8deea79f4b92916 2656714 admin required dpkg_1.16.15_amd64.deb
 7f4a898524458a347e24297b50639b7f 1159292 admin optional dselect_1.16.15_amd64.deb
 4ad8e09db95f05eaa558ee621954be53 1355958 utils optional dpkg-dev_1.16.15_all.deb
 b098ae11ce598105b700dbba5613f781 957964 perl optional libdpkg-perl_1.16.15_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJTkN8dAAoJELlyvz6krlejp14P/iqmUqt7Kk2B4AxPaOEONHkY
Pe9lT/72tUfvWq1q3Xws2RH7kyf9EgbXPtzljkD+mwEq3pVstSfhgzbmgbafRpti
kxDRrgRx2szQDW5YwKQtoDjpcnoaNg+2XXTFW/bZ2BQ1tWkIEyTacdhKhECenU2G
xw9/jQAvLClex9G1AE09LtyBR50IJVL2yPgCSUUu6stzVMcJPt8Zr9wGXDlc0Bq8
CwNA6wjNQOZQNsAFKAwIgRNKRDjGbCaqGJkTIJzw5kzoHMoR4SBKclHfVbC24nBg
VYEEdkj1E4/kYuNcYrCW3iJP5PuQKTfsu21IowORf1htN4T+07mPBZ/Gy90j0OfS
6oGMPfzzrntEBjSKuz4n50f8pwUHMYNxzTyVSb/XaBWPMeasrZs85sc8si11VvMa
LnxAyV9pCXXhKW9zqoojtsOLcz6cm/ypk1Pua9UaEsy+317Cv76fhqWJFpvzHFRV
52UtjxNRwojFtPUnloJ4HXIVe227hZ8JhRWxL8ottOpVYlphCHAzv7n8hIFMv/c8
ZVvZitX2dQBMrFBoMNbFI5YTjIQ7rACSjpZsHQdY4A9BDjsrNZBNW4bD9e1O20wi
vHM6wXi6ujzBjQ/POAYu1fdBb514R4ihFrG2iUvPF6EKaJAEJAgU+rY9PuiiA2Vw
wK84p9QsUKk8IOMJo7Vq
=HssJ
-----END PGP SIGNATURE-----

Message #37 received at 749183-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 749183-close@bugs.debian.org

Subject: Bug#749183: fixed in dpkg 1.15.11

Date: Tue, 17 Jun 2014 12:49:29 +0000

Source: dpkg
Source-Version: 1.15.11

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 749183@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 05 Jun 2014 22:52:45 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.15.11
Distribution: squeeze-security
Urgency: high
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 746498 749183
Changes: 
 dpkg (1.15.11) squeeze-security; urgency=high
 .
   [ Guillem Jover ]
   * Test suite:
     - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
     - Add test case for patch disabling hunks; not security sensitive.
   * Correctly parse patch headers in Dpkg::Source::Patch, to avoid directory
     traversal attempts from hostile source packages when unpacking them.
     Reported by Javier Serrano Polo <javier@jasp.net> as an unspecified
     directory traversal; meanwhile also independently found by me both
     #749183 and what was supposed to be #746498, which was later on published
     and ended up being just a subset of the other non-reported issue.
     Fixes CVE-2014-3864 and CVE-2014-3865. Closes: #746498, #749183
Checksums-Sha1: 
 4426c4d44a6c6c7c8eb21ad6e149d4b8bc71ec0e 1844 dpkg_1.15.11.dsc
 0d562e96d4df9592a8b96bfc76b19be91e88beee 5269052 dpkg_1.15.11.tar.bz2
 641c051ee3adebdd4a76222b0a9b0d59fc2d950d 440340 libdpkg-dev_1.15.11_amd64.deb
 095bd30806da1bad9e231c3910ac13430e2d7728 2401838 dpkg_1.15.11_amd64.deb
 52ea8293218b9a00764a2517eb1d62da1dfccb85 908748 dselect_1.15.11_amd64.deb
 1c3b37c6157816a79674fcab8323d929bbeee11d 815412 dpkg-dev_1.15.11_all.deb
 71dfa4767c572e62d041c6ab3cf5f0c86571a030 697686 libdpkg-perl_1.15.11_all.deb
Checksums-Sha256: 
 207f68ed5ef4888e26f1918c84a3400fa32fd09ad098600ff7b4b9e6d8398c63 1844 dpkg_1.15.11.dsc
 7db2e5e23147e4159d95345dce420236a4af2c0ecff0a38dadee35160bb6f739 5269052 dpkg_1.15.11.tar.bz2
 9b9f1eb8f2536e8be4d4a9157f6262dff4f277285de1c25dc34fa2bc2df4cf72 440340 libdpkg-dev_1.15.11_amd64.deb
 b8921f46999dee2a1c48e08daf45d704de9951dff2879afabd458b341c402ed2 2401838 dpkg_1.15.11_amd64.deb
 0fd10aee9a03794e82530793b2ba71ff1b634b077d1d2475b259364a5debcb5b 908748 dselect_1.15.11_amd64.deb
 e0a6b0b3a506e5c48c7dfa5d439e645ad0416980c3c28f2c70ae4bdd3d8374e6 815412 dpkg-dev_1.15.11_all.deb
 afa97dfcddbf8a0856701622159a4711a8d471f9cacd9e0de1ba44b91ef0eba6 697686 libdpkg-perl_1.15.11_all.deb
Files: 
 ed3eaf21406b5cf68c7e497dad16b8d7 1844 admin required dpkg_1.15.11.dsc
 92f54904ddc5b63f01308d181d8fcdf4 5269052 admin required dpkg_1.15.11.tar.bz2
 49bd29615ce3eb1cfc9409d601770cad 440340 libdevel optional libdpkg-dev_1.15.11_amd64.deb
 790ecea2ea1793a396df0ad254f00df0 2401838 admin required dpkg_1.15.11_amd64.deb
 2548575c77fced8d6ef1dd5f78871a4d 908748 admin optional dselect_1.15.11_amd64.deb
 68c22adf6501b43523510c606a0366f4 815412 utils optional dpkg-dev_1.15.11_all.deb
 5569fd703e0c43f304b232108e4de210 697686 perl optional libdpkg-perl_1.15.11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJTkN8sAAoJELlyvz6krlejZ0AP/RrUH5XmCbk3LVFpJsR7Gpx3
q6kUkzTisedFG0bgHsGeOxTljSVjgdCVKJ1gD8a+rVKMxNxyPTg6eWxw/Aium6wJ
H8u5qyLC+ZrCiBvKF3Bb0TsaiKCzc3yihd6/Z7mbLaSetC9K2MUnybnm5ESJlnmy
0HzOH3YerDvkMY4RCJyl/Z7j0VR+dX+EnD2cJrg8ivAHxoldaUPHxUaZzGRz33b5
V5J+r+o9OrXr9R7LnKbaMTQqBTj5Y169k4ZBFL00aaUiNZ4Q8HbMYDosPRn+mbdf
lrbzhHgThOlemK8hKV1yR6NexsUxuGiX/fbIRu2MYAfiaXjkmVoOiI6bBlJ3HwH+
GvTTbQnB7Gjhj0Guh50eoxankAZDVaxDY9a8q/jCMqPDRxCj0ZT46cma+27R81Ve
SRR5F79FU7J6h4uKspG8hHtUpep7zcrlxy2cW/TNcuiwfEv/aezW3zGqyMpwHG+X
Go6nDSI6p6L5y9EphSR3aNQDwjAvmBZhJF4Lj1AdSKy7tg/z+9Ahqu0U71cXmnfz
mr+xB7hf0AToNK1EB6ir/vZke/X2WY9/Qgl/gnqXyMkCCgS8MJkIBtaRCdQn34Db
BH3N3chFDejUn532mjrDnQFFXVTtDJ84xJMI+CVFg2YwCKwCHABK9ADz4d6eq0X/
YOQfC0pitPinsMz6Sx+5
=tDcj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.